diff --git a/tasks/provision.yml b/tasks/provision.yml
index 57e6b44..c4bde9c 100644
--- a/tasks/provision.yml
+++ b/tasks/provision.yml
@@ -98,6 +98,22 @@
     service_name: 'keystone'
     database_name: 'keystone'
 
+# NOTE(flaper87): Requesting a PVC should probably not be the default, explore
+# using secrets for the fernet keys
+- name: Create keystone PVC
+  k8s_v1_persistent_volume_claim:
+    host: "{{coe_host}}"
+    context: "{{coe_config_context}}"
+    kubeconfig: "{{coe_config_file}}"
+    name: keystone-fernet
+    namespace: "{{namespace}}"
+    state: present
+    spec_access_modes:
+      - ReadWriteMany
+    spec_storage_class_name: slow
+    spec_resources_requests:
+      storage: 1Gi
+
 - name: Create keystone job
   k8s_v1_job:
     host: "{{coe_host}}"
@@ -125,9 +141,8 @@
         config_map:
           name: keystone
       - name: keystone-fernet
-        hostPath:
-          # directory location on host
-          path: /tmp/keystone-fernet
+        persistentVolumeClaim:
+          claimName: keystone-fernet
     state: present
 
 - name: Keystone fernet bootstrap
@@ -156,9 +171,8 @@
         config_map:
           name: keystone
       - name: keystone-fernet
-        hostPath:
-          # directory location on host
-          path: /tmp/keystone-fernet
+        persistentVolumeClaim:
+          claimName: keystone-fernet
     state: present
 
 - name: Keystone bootstrap
@@ -212,9 +226,8 @@
         config_map:
           name: keystone
       - name: keystone-fernet
-        hostPath:
-          # directory location on host
-          path: /tmp/keystone-fernet
+        persistentVolumeClaim:
+          claimName: keystone-fernet
     state: present
 
 
@@ -270,9 +283,8 @@
         config_map:
           name: keystone
       - name: keystone-fernet
-        hostPath:
-          # directory location on host
-          path: /tmp/keystone-fernet
+        persistentVolumeClaim:
+          claimName: keystone-fernet
     state: present
   register: create_service