diff --git a/barbican/plugin/crypto/p11_crypto.py b/barbican/plugin/crypto/p11_crypto.py
index ee8dcd506..56b3fb71a 100644
--- a/barbican/plugin/crypto/p11_crypto.py
+++ b/barbican/plugin/crypto/p11_crypto.py
@@ -81,6 +81,10 @@ p11_crypto_plugin_opts = [
     cfg.BoolOpt('aes_gcm_generate_iv',
                 help=u._('Generate IVs for CKM_AES_GCM mechanism.'),
                 default=True, deprecated_name='generate_iv'),
+    cfg.BoolOpt('always_set_cka_sensitive',
+                help=u._('Always set CKA_SENSITIVE=CK_TRUE including '
+                         'CKA_EXTRACTABLE=CK_TRUE keys.'),
+                default=True),
 ]
 CONF.register_group(p11_crypto_plugin_group)
 CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group)
@@ -302,6 +306,7 @@ class P11CryptoPlugin(plugin.CryptoPluginBase):
             ffi=ffi,
             seed_random_buffer=seed_random_buffer,
             generate_iv=plugin_conf.aes_gcm_generate_iv,
+            always_set_cka_sensitive=plugin_conf.always_set_cka_sensitive,
         )
 
     def _reinitialize_pkcs11(self):
diff --git a/barbican/plugin/crypto/pkcs11.py b/barbican/plugin/crypto/pkcs11.py
index d33e7fcfb..737d5a9b6 100644
--- a/barbican/plugin/crypto/pkcs11.py
+++ b/barbican/plugin/crypto/pkcs11.py
@@ -356,7 +356,7 @@ class PKCS11(object):
                  encryption_mechanism=None,
                  ffi=None, algorithm=None,
                  seed_random_buffer=None,
-                 generate_iv=None):
+                 generate_iv=None, always_set_cka_sensitive=None):
         if algorithm:
             LOG.warning("WARNING: Using deprecated 'algorithm' argument.")
             encryption_mechanism = encryption_mechanism or algorithm
@@ -385,6 +385,7 @@ class PKCS11(object):
         self.noncesize = 12
         self.gcmtagsize = 16
         self.generate_iv = generate_iv
+        self.always_set_cka_sensitive = always_set_cka_sensitive
 
         # Validate configuration and RNG
         session = self.get_session()
@@ -583,7 +584,7 @@ class PKCS11(object):
         token = master_key
         extractable = not master_key
         # in some HSMs extractable keys cannot be marked sensitive
-        sensitive = not extractable
+        sensitive = self.always_set_cka_sensitive or not extractable
 
         ck_attributes = [
             Attribute(CKA_CLASS, CKO_SECRET_KEY),
diff --git a/releasenotes/notes/fix-story-2004734-977dbeda6b547f85.yaml b/releasenotes/notes/fix-story-2004734-977dbeda6b547f85.yaml
new file mode 100644
index 000000000..558f4f80e
--- /dev/null
+++ b/releasenotes/notes/fix-story-2004734-977dbeda6b547f85.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixed Story #2004734:  Added a new option `always_set_cka_sensitive` to
+    fix a regression that affected Safenet HSMs.  The option defaults to `True`
+    as required by Safenet HSMs.  Other HSMs may require it be set to `False`.
+