diff --git a/README.md b/README.md
index d11af9f..c1e32c7 100644
--- a/README.md
+++ b/README.md
@@ -198,6 +198,7 @@ Miscellaneous Options
 Arrays whose elements will be copied exactly into the respective config files (contents e.g. ['option1=value1', 'option2=value2']).
 
 * `openstack["orchestration"]["misc_heat"]` - Array of bare options for `heat.conf`.
+* `orchestration_auth_encryption_key` - Key used to encrypt authentication info in the database. Length of this key must be 16, 24 or 32 characters. Comes from secrets databag.
 
 Testing
 =====
diff --git a/recipes/common.rb b/recipes/common.rb
index 8a4303e..a5143f0 100644
--- a/recipes/common.rb
+++ b/recipes/common.rb
@@ -63,6 +63,7 @@ heat_api_cloudwatch_bind = internal_endpoint 'orchestration-api-cloudwatch-bind'
 heat_api_cloudwatch_endpoint = internal_endpoint 'orchestration-api-cloudwatch'
 
 service_pass = get_password 'service', 'openstack-orchestration'
+auth_encryption_key = get_password 'token', 'orchestration_auth_encryption_key'
 
 stack_domain_admin_password = nil
 if node['openstack']['orchestration']['stack_domain_admin']
@@ -116,6 +117,7 @@ template '/etc/heat/heat.conf' do
     auth_uri: auth_uri,
     identity_uri: identity_uri,
     service_pass: service_pass,
+    auth_encryption_key: auth_encryption_key,
     sql_connection: sql_connection,
     heat_api_bind: heat_api_bind,
     heat_api_endpoint: heat_api_endpoint,
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 11028ce..ed04b37 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -55,6 +55,9 @@ shared_context 'orchestration_stubs' do
     allow_any_instance_of(Chef::Recipe).to receive(:get_password)
       .with('user', 'admin')
       .and_return 'admin_pass'
+    allow_any_instance_of(Chef::Recipe).to receive(:get_password)
+      .with('token', 'orchestration_auth_encryption_key')
+      .and_return 'auth_encryption_key_secret'
     allow(Chef::Application).to receive(:fatal!)
   end
 end
@@ -195,6 +198,10 @@ shared_examples 'expects to create heat conf' do
       expect(chef_run).to render_file(file.name).with_content(/^insecure=false$/)
     end
 
+    it 'sets auth_encryption_key' do
+      expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^auth_encryption_key=auth_encryption_key_secret$/)
+    end
+
     describe 'default values for certificates files' do
       it 'has no such values' do
         [
diff --git a/templates/default/heat.conf.erb b/templates/default/heat.conf.erb
index ab1da26..6cf34bb 100644
--- a/templates/default/heat.conf.erb
+++ b/templates/default/heat.conf.erb
@@ -211,7 +211,7 @@ num_engine_workers=<%= node['openstack']['orchestration']['num_engine_workers']
 
 # Encryption key used for authentication info in database.
 # (string value)
-#auth_encryption_key=notgood but just long enough i think
+auth_encryption_key=<%= @auth_encryption_key %>
 
 
 #