diff --git a/docs/dictionary/en-custom.txt b/docs/dictionary/en-custom.txt
index c4751c2a6d..513220a4fb 100644
--- a/docs/dictionary/en-custom.txt
+++ b/docs/dictionary/en-custom.txt
@@ -26,6 +26,7 @@ az
 azs
 backend
 backends
+barbican
 baremetal
 baremetalhost
 basedir
@@ -46,6 +47,7 @@ bootmacaddress
 bootmode
 buildah
 buildpkgs
+cacert
 cacheable
 cci
 ccitredhat
@@ -207,6 +209,8 @@ hostnames
 hostvars
 hotfix
 href
+hsm
+hsms
 https
 ic
 icjbuue
@@ -305,6 +309,7 @@ mellanox
 metallb
 metalsmith
 mgmt
+minclient
 mins
 minsizegigabytes
 mlnx
@@ -398,6 +403,7 @@ params
 passwd
 passwordless
 pastebin
+pem
 pkgs
 pki
 png
diff --git a/hooks/playbooks/barbican-enable-luna.yml b/hooks/playbooks/barbican-enable-luna.yml
new file mode 100644
index 0000000000..46526c623f
--- /dev/null
+++ b/hooks/playbooks/barbican-enable-luna.yml
@@ -0,0 +1,89 @@
+---
+- name: Create modified barbican image and get secrets
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Check out the role git repo
+      ansible.builtin.git:
+        dest: "./rhoso_luna_hsm"
+        repo: "{{ cifmw_hsm_luna_ansible_role_repo | default('https://github.com/openstack-k8s-operators/ansible-role-rhoso-luna-hsm.git', true) }}"
+        version: "{{ cifmw_hsm_luna_ansible_role_version| default('main', true) }}"
+
+    - name: Create and upload the new barbican images
+      ansible.builtin.include_role:
+        name: rhoso_luna_hsm
+        tasks_from: create_image.yml
+      vars:
+        barbican_src_image_registry: "{{ content_provider_registry_ip }}:5001"
+        barbican_src_image_namespace: "{{ cifmw_set_openstack_containers_namespace }}"
+        barbican_src_image_tag: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}"
+        barbican_dest_image_registry: "{{ content_provider_registry_ip }}:5001"
+        barbican_dest_image_namespace: "{{ cifmw_set_openstack_containers_namespace }}"
+        barbican_dest_image_tag: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}{{ cifmw_update_barbican_custom_tag }}"
+        luna_minclient_src: "{{ cifmw_hsm_luna_minclient_src }}"
+        luna_binaries_src: "{{ cifmw_hsm_luna_binaries_src }}"
+
+    - name: Create secrets with the HSM certs and hsm-login credentials
+      ansible.builtin.include_role:
+        name: rhoso_luna_hsm
+        tasks_from: create_secrets.yml
+      vars:
+        client_ip: "{{ cifmw_hsm_client_ip }}"
+        chrystoki_conf_src: "{{ cifmw_hsm_chrystoki_conf_src }}"
+        luna_server_cert_src: "{{ cifmw_hsm_luna_server_cert_src }}"
+        luna_client_cert_src: "{{ cifmw_hsm_luna_client_cert_src }}"
+        partition_password: "{{ cifmw_hsm_partition_password }}"
+        kubeconfig_path: "{{ cifmw_openshift_kubeconfig }}"
+        oc_path: "{{ cifmw_path }}"
+        luna_data_secret: "{{ cifmw_hsm_luna_client_data_secret | default('barbican-luna-client-data', true) }}"
+        login_secret: "{{ cifmw_hsm_login_secret | default('barbican-luna-login', true) }}"
+
+- name: Create kustomization to use update barbican to use luna
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Create file to customize barbican resource deployed in the control plane
+      vars:
+        client_data_secret: "{{ cifmw_hsm_luna_client_data_secret | default('barbican-luna-client-data', true) }}"
+        login_secret: "{{ cifmw_hsm_login_secret | default('barbican-luna-login', true) }}"
+      ansible.builtin.copy:
+        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/93-barbican-luna.yaml"
+        content: |-
+          apiVersion: kustomize.config.k8s.io/v1beta1
+          kind: Kustomization
+          resources:
+          namespace: {{ namespace }}
+          patches:
+          - target:
+              kind: OpenStackControlPlane
+              name: .*
+            patch: |-
+              - op: add
+                path: /spec/barbican/template/globalDefaultSecretStore
+                value: pkcs11
+              - op: add
+                path: /spec/barbican/template/enabledSecretStores
+                value:
+                  - pkcs11
+              - op: add
+                path: /spec/barbican/template/pkcs11
+                value:
+                  loginSecret: "{{ login_secret }}"
+                  clientDataSecret: "{{ client_data_secret }}"
+                  clientDataPath: "/usr/local/luna"
+              - op: add
+                path: /spec/barbican/template/customServiceConfig
+                value: |
+                  [p11_crypto_plugin]
+                  plugin_name = PKCS11
+                  library_path = /usr/local/luna/libs/64/libCryptoki2.so
+                  token_labels = "{{ cifmw_hsm_luna_partition }}"
+                  mkek_label = "{{ cifm_hsm_mkek_label }}"
+                  hmac_label = "{{ cifm_hsm_hmac_label }}"
+                  encryption_mechanism = CKM_AES_GCM
+                  aes_gcm_generate_iv = true
+                  hmac_key_type = CKK_GENERIC_SECRET
+                  hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN
+                  hmac_mechanism = CKM_SHA256_HMAC
+                  key_wrap_mechanism = "{{ cifmw_hsm_key_wrap_mechanism }}"
+                  key_wrap_generate_iv = true
+                  always_set_cka_sensitive = true
+                  os_locking_ok = false
diff --git a/roles/update_containers/defaults/main.yml b/roles/update_containers/defaults/main.yml
index 95142c4136..1aff329406 100644
--- a/roles/update_containers/defaults/main.yml
+++ b/roles/update_containers/defaults/main.yml
@@ -47,3 +47,4 @@ cifmw_update_containers_manilashares:
 # cifmw_update_containers_edpm_image_url:
 # cifmw_update_containers_ipa_image_url:
 # cifmw_update_containers_edpmnodeexporterimage:
+cifmw_update_barbican_custom_tag: ""
diff --git a/roles/update_containers/templates/update_containers.j2 b/roles/update_containers/templates/update_containers.j2
index 04ccbed301..587078444b 100644
--- a/roles/update_containers/templates/update_containers.j2
+++ b/roles/update_containers/templates/update_containers.j2
@@ -10,9 +10,9 @@ spec:
     aodhEvaluatorImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-aodh-evaluator:{{ cifmw_update_containers_tag }}
     aodhListenerImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-aodh-listener:{{ cifmw_update_containers_tag }}
     aodhNotifierImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-aodh-notifier:{{ cifmw_update_containers_tag }}
-    barbicanAPIImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-api:{{ cifmw_update_containers_tag }}
+    barbicanAPIImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-api:{{ cifmw_update_containers_tag }}{{ cifmw_update_barbican_custom_tag }}
     barbicanKeystoneListenerImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-keystone-listener:{{ cifmw_update_containers_tag }}
-    barbicanWorkerImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-worker:{{ cifmw_update_containers_tag }}
+    barbicanWorkerImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-worker:{{ cifmw_update_containers_tag }}{{ cifmw_update_barbican_custom_tag }}
     ceilometerCentralImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-ceilometer-central:{{ cifmw_update_containers_tag }}
     ceilometerComputeImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-ceilometer-compute:{{ cifmw_update_containers_tag }}
     ceilometerIpmiImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-ceilometer-ipmi:{{ cifmw_update_containers_tag }}