diff --git a/lib/puppet/functions/generate_fernet_key.rb b/lib/puppet/functions/generate_fernet_key.rb
new file mode 100644
index 00000000..0a26ec7e
--- /dev/null
+++ b/lib/puppet/functions/generate_fernet_key.rb
@@ -0,0 +1,12 @@
+require 'securerandom'
+
+Puppet::Functions.create_function(:generate_fernet_key) do
+  # @return 32 byte url-safe base64-encoded (with padding) Fernet symmetric encryption key
+  dispatch :generate_fernet_key do
+    return_type 'String'
+  end
+
+  def generate_fernet_key
+    SecureRandom.urlsafe_base64(32)+"="
+  end
+end
diff --git a/manifests/config.pp b/manifests/config.pp
index 8cdaba84..e208ed5d 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -8,6 +8,16 @@
     mode   => '0755',
   }
 
+  file { $pulpcore::db_encrypted_fields_keyfile:
+    ensure    => file,
+    content   => $pulpcore::db_encrypted_fields_key,
+    owner     => 'root',
+    group     => $pulpcore::group,
+    mode      => '0640',
+    show_diff => false,
+    require   => File[$pulpcore::config_dir],
+  }
+
   concat { 'pulpcore settings':
     ensure         => present,
     path           => $pulpcore::settings_file,
diff --git a/manifests/init.pp b/manifests/init.pp
index 6c624297..7e304f68 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -205,7 +205,9 @@
   Integer[0] $api_service_worker_timeout = 90,
   Hash[String[1], String[1]] $api_client_auth_cn_map = {},
 ) {
-  $settings_file = "${config_dir}/settings.py"
+  $settings_file               = "${config_dir}/settings.py"
+  $db_encrypted_fields_keyfile = "${config_dir}/db_encrypted_fields_key"
+  $db_encrypted_fields_key     = extlib::cache_data('pulpcore_cache_data', 'db_encrypted_fields_key', generate_fernet_key())
 
   contain pulpcore::install
   contain pulpcore::database
diff --git a/spec/acceptance/basic_spec.rb b/spec/acceptance/basic_spec.rb
index 277df373..4d04d4f6 100644
--- a/spec/acceptance/basic_spec.rb
+++ b/spec/acceptance/basic_spec.rb
@@ -73,6 +73,14 @@ class { 'pulpcore':
     its(:body) { is_expected.to contain('artifacts_list') }
     its(:exit_status) { is_expected.to eq 0 }
   end
+
+  describe file('/etc/pulp/db_encrypted_fields_key') do
+    it { is_expected.to be_file }
+    it { is_expected.to be_mode 640 }
+    it { is_expected.to be_owned_by 'root' }
+    it { is_expected.to be_grouped_into 'pulp' }
+    its(:content) { is_expected.to match /\A([a-zA-Z]|\d|-|_){43}=\z/ }
+  end
 end
 
 describe 'reducing worker count' do