diff --git a/manifests/params.pp b/manifests/params.pp
index 584bd58b..e72e6a49 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -40,6 +40,11 @@ class swift::params {
       $account_reaper_service_name       = 'swift-account-reaper'
       $account_replicator_service_name   = 'swift-account-replicator'
       $swift3                            = 'swift-plugin-s3'
+      if ($::os_package_type == 'debian') {
+        $signing_dir = '/var/lib/swift'
+      }else{
+        $signing_dir = '/var/cache/swift'
+      }
     }
     'RedHat': {
       $package_name                      = 'openstack-swift'
@@ -66,6 +71,7 @@ class swift::params {
       $account_reaper_service_name       = 'openstack-swift-account-reaper'
       $account_replicator_service_name   = 'openstack-swift-account-replicator'
       $swift3                            = 'openstack-swift-plugin-swift3'
+      $signing_dir                       = '/var/cache/swift'
     }
     default: {
         fail("Unsupported osfamily: ${::osfamily} for os ${::operatingsystem}")
diff --git a/manifests/proxy/authtoken.pp b/manifests/proxy/authtoken.pp
index a4d9e389..e4cb973d 100644
--- a/manifests/proxy/authtoken.pp
+++ b/manifests/proxy/authtoken.pp
@@ -11,7 +11,7 @@
 #
 # [*signing_dir*]
 #    The cache directory for signing certificates.
-#    Defaults to '/var/cache/swift'
+#    Defaults to $::swift::params::signing_dir
 #
 # [*cache*]
 #    The cache backend to use
@@ -87,7 +87,7 @@
 #
 class swift::proxy::authtoken(
   $delay_auth_decision     = 1,
-  $signing_dir             = '/var/cache/swift',
+  $signing_dir             = $::swift::params::signing_dir,
   $cache                   = 'swift.cache',
   $auth_uri                = 'http://127.0.0.1:5000',
   $auth_url                = 'http://127.0.0.1:5000',
@@ -104,7 +104,7 @@ class swift::proxy::authtoken(
   $admin_password          = undef,
   $identity_uri            = undef,
   $admin_token             = undef,
-) {
+) inherits swift::params {
 
   include ::swift::deps
 
@@ -133,16 +133,19 @@ class swift::proxy::authtoken(
   $project_name_real = pick($admin_tenant_name, $project_name)
   $password_real = pick($admin_password, $password)
 
-  file { $signing_dir:
-    ensure                  => directory,
-    mode                    => '0700',
-    owner                   => 'swift',
-    group                   => 'swift',
-    selinux_ignore_defaults => true,
-    require                 => Anchor['swift::config::begin'],
-    before                  => Anchor['swift::config::end'],
+  if ($::os_package_type != 'debian') {
+    file { $signing_dir:
+      ensure                  => directory,
+      mode                    => '0700',
+      owner                   => 'swift',
+      group                   => 'swift',
+      selinux_ignore_defaults => true,
+      require                 => Anchor['swift::config::begin'],
+      before                  => Anchor['swift::config::end'],
+    }
   }
 
+
   swift_proxy_config {
     'filter:authtoken/log_name':                value => 'swift';
     'filter:authtoken/signing_dir':             value => $signing_dir;
diff --git a/releasenotes/notes/signing-dir-543b814469e76728.yaml b/releasenotes/notes/signing-dir-543b814469e76728.yaml
new file mode 100644
index 00000000..aaa77857
--- /dev/null
+++ b/releasenotes/notes/signing-dir-543b814469e76728.yaml
@@ -0,0 +1,6 @@
+---
+prelude: >
+    The default signing_dir is changed to /var/lib/swift for Debian. For all
+    other OSes, /var/cache/swift is kept. This is due to the fact that the
+    Debian sysv-init / systemd scripts are setting /var/cache/swift with the
+    unix rights 0755, which isn't safe for this OS.
diff --git a/spec/classes/swift_proxy_authtoken_spec.rb b/spec/classes/swift_proxy_authtoken_spec.rb
index 36e59dd8..980d40a9 100644
--- a/spec/classes/swift_proxy_authtoken_spec.rb
+++ b/spec/classes/swift_proxy_authtoken_spec.rb
@@ -19,7 +19,7 @@ describe 'swift::proxy::authtoken' do
 
     describe "when using default parameters" do
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/log_name').with_value('swift') }
-      it { is_expected.to contain_swift_proxy_config('filter:authtoken/signing_dir').with_value('/var/cache/swift') }
+      it { is_expected.to contain_swift_proxy_config('filter:authtoken/signing_dir').with_value(platform_params[:default_signing_dir]) }
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/paste.filter_factory').with_value('keystonemiddleware.auth_token:filter_factory') }
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/www_authenticate_uri').with_value('http://127.0.0.1:5000') }
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/auth_url').with_value('http://127.0.0.1:5000') }
@@ -101,6 +101,19 @@ describe 'swift::proxy::authtoken' do
         facts.merge(OSDefaults.get_facts())
       end
 
+      let(:platform_params) do
+        case facts[:osfamily]
+        when 'Debian'
+          if facts[:os_package_type] == 'debian'
+            { :default_signing_dir => '/var/lib/swift' }
+          else
+            { :default_signing_dir => '/var/cache/swift' }
+          end
+        when 'RedHat'
+          { :default_signing_dir => '/var/cache/swift' }
+        end
+      end
+
       it_configures 'swift::proxy::authtoken'
     end
   end