diff --git a/.fixtures.yml b/.fixtures.yml
index a2ee5f19..591a16e1 100644
--- a/.fixtures.yml
+++ b/.fixtures.yml
@@ -2,6 +2,7 @@ fixtures:
   repositories:
     lokkit:        "git://github.com/rharrison10/puppet-lokkit.git"
     ntp:           "git://github.com/puppetlabs/puppetlabs-ntp.git"
+    secretbox:     "git://github.com/sdodson/puppet-secretbox.git"
     selinux_types: "git://github.com/blentz/puppet-selinux_types.git"
     stdlib:        "git://github.com/puppetlabs/puppetlabs-stdlib.git"
     sysctl:        "git://github.com/duritong/puppet-sysctl.git"
diff --git a/Modulefile b/Modulefile
index 6d293e8e..2c66644e 100644
--- a/Modulefile
+++ b/Modulefile
@@ -14,3 +14,4 @@ dependency 'blentz/selinux_types', '>=0.1.0'
 dependency 'puppetlabs/haproxy', '>=0.4.1'
 dependency 'arioch/keepalived', '>=0.0.10'
 dependency 'duritong/sysctl', '>=0.0.6'
+dependency 'sdodson/secretbox', '>=0.1.3'
diff --git a/README.asciidoc b/README.asciidoc
index 1770f0a3..571939af 100644
--- a/README.asciidoc
+++ b/README.asciidoc
@@ -458,10 +458,13 @@ is true.
 Default "changeme"
 
 === msgserver_admin_password
-This is the admin password for the ActiveMQ admin console, which is
-not needed by OpenShift but might be useful in troubleshooting.
+This is the admin password for the ActiveMQ admin console, which is not needed
+by OpenShift but might be useful in troubleshooting.  Because this value need
+not be uniform across hosts it is generated randomly by default and stored in
+your puppet master's vardir ie:
+/var/lib/puppet/secretbox/$::fqdn/msgserver_admin_password
 
-Default: scrambled
+Default: 16 character random string
 
 === msgserver_tls_enabled
 This configures mcollective and activemq to use end-to-end encryption over TLS.
@@ -584,9 +587,13 @@ Default: demo/changeme
 === conf_broker_auth_private_key
 Salt and private keys used when generating secure authentication
 tokens for Application to Broker communication. Requests like scale up/down
-and jenkins builds use these authentication tokens. This value must be the
+and jenkins builds use these authentication tokens. These values must be the
 same on all broker nodes.
 
+By default conf_broker_auth_salt is generated randomly once and stored in your
+puppet master's vardir ie:
+/var/lib/puppet/secretbox/$::fqdn/conf_broker_auth_salt
+
 Default: Self signed keys are generated. Will not work with multi-broker
 setup.
 
diff --git a/manifests/init.pp b/manifests/init.pp
index d87fcbf1..e0693d42 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -303,9 +303,12 @@
 #   is true.
 #
 # [*msgserver_admin_password*]
-#   Default: scrambled
-#   This is the admin password for the ActiveMQ admin console, which is
-#   not needed by OpenShift but might be useful in troubleshooting.
+#   Default: 16 character random string
+#   This is the admin password for the ActiveMQ admin console, which is not needed
+#   by OpenShift but might be useful in troubleshooting.  Because this value need
+#   not be uniform across hosts it is generated randomly by default and stored in
+#   your puppet master's vardir ie:
+#   /var/lib/puppet/secretbox/$::fqdn/msgserver_admin_password
 #
 # [*msgserver_tls_enabled*]
 #   Default: 'disabled'
@@ -406,6 +409,11 @@
 #   tokens for Application to Broker communication. Requests like scale up/down
 #   and jenkins builds use these authentication tokens. This value must be the
 #   same on all broker nodes.
+#
+#   By default conf_broker_auth_salt is generated randomly once and stored in your
+#   puppet master's vardir ie:
+#   /var/lib/puppet/secretbox/$::fqdn/conf_broker_auth_salt
+#
 #   Default:  Self signed keys are generated. Will not work with multi-broker
 #             setup.
 #
@@ -837,7 +845,7 @@
   $msgserver_cluster_members            = undef,
   $mcollective_cluster_members          = undef,
   $msgserver_password                   = 'changeme',
-  $msgserver_admin_password             = inline_template('<%= require "securerandom"; SecureRandom.base64 %>'),
+  $msgserver_admin_password             = secretbox('msgserver_admin_password',16,'base64'),
   $msgserver_tls_enabled                = 'disabled',
   $msgserver_tls_keystore_password      = 'password',
   $msgserver_tls_ca                     = '/var/lib/puppet/ssl/certs/ca.pem',
@@ -860,7 +868,7 @@
   $mongodb_key                          = 'changeme',
   $openshift_user1                      = 'demo',
   $openshift_password1                  = 'changeme',
-  $conf_broker_auth_salt                = inline_template('<%= require "securerandom"; SecureRandom.base64 %>'),
+  $conf_broker_auth_salt                = secretbox('conf_broker_auth_salt',16,'base64'),
   $conf_broker_auth_private_key         = undef,
   $conf_broker_session_secret           = undef,
   $conf_broker_multi_haproxy_per_node   = false,
diff --git a/metadata.json b/metadata.json
index 135eaa0b..d0b119cc 100644
--- a/metadata.json
+++ b/metadata.json
@@ -59,6 +59,10 @@
         {
             "name": "duritong/sysctl",
             "version_requirement": ">=0.0.6"
+        },
+        {
+            "name": "sdodson/secretbox",
+            "version_requirement": ">=0.1.3"
         }
     ]
 }