diff --git a/lib/puppet/type/cinder_api_paste_ini.rb b/lib/puppet/type/cinder_api_paste_ini.rb
index 57ff8254..d895b4a3 100644
--- a/lib/puppet/type/cinder_api_paste_ini.rb
+++ b/lib/puppet/type/cinder_api_paste_ini.rb
@@ -14,6 +14,29 @@ Puppet::Type.newtype(:cinder_api_paste_ini) do
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
   end
 
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
 end
diff --git a/lib/puppet/type/cinder_config.rb b/lib/puppet/type/cinder_config.rb
index 51b245dd..62d38256 100644
--- a/lib/puppet/type/cinder_config.rb
+++ b/lib/puppet/type/cinder_config.rb
@@ -14,6 +14,29 @@ Puppet::Type.newtype(:cinder_config) do
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
   end
 
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
 end
diff --git a/manifests/api.pp b/manifests/api.pp
index ee73f9df..035e9eea 100644
--- a/manifests/api.pp
+++ b/manifests/api.pp
@@ -60,7 +60,7 @@ class cinder::api (
       'filter:authtoken/auth_port':         value => $keystone_auth_port;
       'filter:authtoken/admin_tenant_name': value => $keystone_tenant;
       'filter:authtoken/admin_user':        value => $keystone_user;
-      'filter:authtoken/admin_password':    value => $keystone_password;
+      'filter:authtoken/admin_password':    value => $keystone_password, secret => true;
     }
   }
 
diff --git a/manifests/init.pp b/manifests/init.pp
index 071227fd..867aa960 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -69,7 +69,7 @@ class cinder (
     }
 
     cinder_config {
-      'DEFAULT/rabbit_password':     value => $rabbit_password;
+      'DEFAULT/rabbit_password':     value => $rabbit_password, secret => true;
       'DEFAULT/rabbit_userid':       value => $rabbit_userid;
       'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host;
     }
@@ -99,7 +99,7 @@ class cinder (
       'DEFAULT/qpid_hostname':               value => $qpid_hostname;
       'DEFAULT/qpid_port':                   value => $qpid_port;
       'DEFAULT/qpid_username':               value => $qpid_username;
-      'DEFAULT/qpid_password':               value => $qpid_password;
+      'DEFAULT/qpid_password':               value => $qpid_password, secret => true;
       'DEFAULT/qpid_reconnect':              value => $qpid_reconnect;
       'DEFAULT/qpid_reconnect_timeout':      value => $qpid_reconnect_timeout;
       'DEFAULT/qpid_reconnect_limit':        value => $qpid_reconnect_limit;
@@ -113,7 +113,7 @@ class cinder (
   }
 
   cinder_config {
-    'DEFAULT/sql_connection':      value => $sql_connection;
+    'DEFAULT/sql_connection':      value => $sql_connection, secret => true;
     'DEFAULT/verbose':             value => $verbose;
     'DEFAULT/debug':               value => $debug;
     'DEFAULT/api_paste_config':    value => $api_paste_config;
diff --git a/manifests/volume/netapp.pp b/manifests/volume/netapp.pp
index ff48ee0b..51abf81f 100644
--- a/manifests/volume/netapp.pp
+++ b/manifests/volume/netapp.pp
@@ -14,7 +14,7 @@ class cinder::volume::netapp (
     'DEFAULT/volume_driver':                 value => 'cinder.volume.netapp.NetAppISCSIDriver';
     'DEFAULT/netapp_wsdl_url':               value => $netapp_wsdl_url;
     'DEFAULT/netapp_login':                  value => $netapp_login;
-    'DEFAULT/netapp_password':               value => $netapp_password;
+    'DEFAULT/netapp_password':               value => $netapp_password, secret => true;
     'DEFAULT/netapp_server_hostname':        value => $netapp_server_hostname;
     'DEFAULT/netapp_storage_service':        value => $netapp_storage_service;
     'DEFAULT/netapp_server_port':            value => $netapp_server_port;
diff --git a/spec/classes/cinder_api_spec.rb b/spec/classes/cinder_api_spec.rb
index f01cfa2d..537cd9dc 100644
--- a/spec/classes/cinder_api_spec.rb
+++ b/spec/classes/cinder_api_spec.rb
@@ -50,7 +50,8 @@ describe 'cinder::api' do
         :value => 'cinder'
       )
       should contain_cinder_api_paste_ini('filter:authtoken/admin_password').with(
-        :value => 'foo'
+        :value  => 'foo',
+        :secret => true
       )
     end
   end
diff --git a/spec/classes/cinder_spec.rb b/spec/classes/cinder_spec.rb
index 30426d4c..54023d61 100644
--- a/spec/classes/cinder_spec.rb
+++ b/spec/classes/cinder_spec.rb
@@ -20,7 +20,8 @@ describe 'cinder' do
         :value => 'cinder.openstack.common.rpc.impl_kombu'
       )
       should contain_cinder_config('DEFAULT/rabbit_password').with(
-        :value => 'guest'
+        :value => 'guest',
+        :secret => true
       )
       should contain_cinder_config('DEFAULT/rabbit_host').with(
         :value => '127.0.0.1'
@@ -41,7 +42,8 @@ describe 'cinder' do
         :value => 'guest'
       )
       should contain_cinder_config('DEFAULT/sql_connection').with(
-        :value => 'mysql://user:password@host/database'
+        :value  => 'mysql://user:password@host/database',
+        :secret => true
       )
       should contain_cinder_config('DEFAULT/verbose').with(
         :value => false
@@ -81,7 +83,7 @@ describe 'cinder' do
         :value => 'rabbit1:5672,rabbit2:5672'
       )
       should contain_cinder_config('DEFAULT/rabbit_ha_queues').with(
-          :value => true
+        :value => true
       )
     end
   end
@@ -101,7 +103,7 @@ describe 'cinder' do
     it { should contain_cinder_config('DEFAULT/qpid_hostname').with_value('localhost') }
     it { should contain_cinder_config('DEFAULT/qpid_port').with_value('5672') }
     it { should contain_cinder_config('DEFAULT/qpid_username').with_value('guest') }
-    it { should contain_cinder_config('DEFAULT/qpid_password').with_value('guest') }
+    it { should contain_cinder_config('DEFAULT/qpid_password').with_value('guest').with_secret(true) }
     it { should contain_cinder_config('DEFAULT/qpid_reconnect').with_value(true) }
     it { should contain_cinder_config('DEFAULT/qpid_reconnect_timeout').with_value('0') }
     it { should contain_cinder_config('DEFAULT/qpid_reconnect_limit').with_value('0') }
diff --git a/spec/classes/cinder_volume_netapp_spec.rb b/spec/classes/cinder_volume_netapp_spec.rb
index dfbb9b5a..ac3f0076 100644
--- a/spec/classes/cinder_volume_netapp_spec.rb
+++ b/spec/classes/cinder_volume_netapp_spec.rb
@@ -30,6 +30,10 @@ describe 'cinder::volume::netapp' do
         should contain_cinder_config("DEFAULT/#{config}").with_value( value )
       end
     end
+
+    it 'marks netapp_password as secret' do
+      should contain_cinder_config('DEFAULT/netapp_password').with_secret( true )
+    end
   end