diff --git a/manifests/config.pp b/manifests/config.pp
index 8cdaba84..317b3abf 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -1,7 +1,7 @@
 # Configures pulp3
 # @api private
 class pulpcore::config {
-  file { $pulpcore::config_dir:
+  file { [$pulpcore::config_dir, $pulpcore::certs_dir]:
     ensure => directory,
     owner  => 'root',
     group  => 'root',
@@ -51,4 +51,17 @@
     mode   => '0770',
   }
 
+  exec { 'Create database symmetric key':
+    path    => ['/bin', '/usr/bin'],
+    command => "openssl rand -base64 32 | tr '+/' '-_' > ${pulpcore::database_key_file}",
+    creates => $pulpcore::database_key_file,
+  }
+
+  file { $pulpcore::database_key_file:
+    owner   => 'root',
+    group   => $pulpcore::group,
+    mode    => '0640',
+    require => Exec['Create database symmetric key'],
+  }
+
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 1e00d76b..445ab4fa 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -232,6 +232,8 @@
   Enum['CRITICAL', 'ERROR', 'WARNING', 'INFO', 'DEBUG'] $log_level = 'INFO',
 ) {
   $settings_file = "${config_dir}/settings.py"
+  $certs_dir = "${config_dir}/certs"
+  $database_key_file = "${certs_dir}/database_fields.symmetric.key"
 
   contain pulpcore::install
   contain pulpcore::database
diff --git a/spec/classes/pulpcore_spec.rb b/spec/classes/pulpcore_spec.rb
index 1dc54f87..72b4d660 100644
--- a/spec/classes/pulpcore_spec.rb
+++ b/spec/classes/pulpcore_spec.rb
@@ -29,6 +29,7 @@
             .without_content(%r{sslmode})
             .without_content(%r{WORKER_TTL})
           is_expected.to contain_file('/etc/pulp')
+          is_expected.to contain_file('/etc/pulp/certs/database_fields.symmetric.key')
           is_expected.to contain_file('/var/lib/pulp')
           is_expected.to contain_file('/var/lib/pulp/sync_imports')
           is_expected.to contain_file('/var/lib/pulp/assets')