diff --git a/exports/keystone_authtoken.j2 b/exports/keystone_authtoken.j2
index 2d712e7..7cddfaa 100644
--- a/exports/keystone_authtoken.j2
+++ b/exports/keystone_authtoken.j2
@@ -12,4 +12,8 @@ memcached_servers = {{ address("memcached", memcached.port) }}
 {% if keystone.tls.enabled %}
 cafile = /opt/ccp/etc/tls/ca.pem
 {% endif %}
+{% if keystone.encrypt_tokens_in_memcached.enabled %}
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ keystone.encrypt_tokens_in_memcached.secret_key }}
+{% endif %}
 {%- endmacro %}
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index 528b923..f3a78cb 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -27,6 +27,10 @@ configs:
       # format can be basic or cadf:
       format: cadf
 
+    encrypt_tokens_in_memcached:
+      enabled: true
+      secret_key: password
+
   openstack:
     user_password: password
     user_name: admin