diff --git a/data/common.yaml b/data/common.yaml
index e1414775418393cd29180542217ff61c22247ba4..6d593aa775bbfe4edc4f94248870df52042309ef 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -26,6 +26,32 @@ aes::auth::keytab_devel: >
   IcAIbgvoQbriFHLJiL9HIWl6GSe6I/jp9n5veEkhHdT3M0nEEc0hbKWBaELj
   gTDWfQoET9V1Lrtv]
 
+aes::auth::keytab_production_base64: >
+  ENC[PKCS7,MIIB6wYJKoZIhvcNAQcDoIIB3DCCAdgCAQAxggEhMIIBHQIBADAFMAACAQEw
+  DQYJKoZIhvcNAQEBBQAEggEAWDNqT2ab63HdYWzW2/9TZrsxEcdDvJBKl87f
+  vNVOQveZOoK2vBSaGb0Mzs5AQrY02ib2mBEZKsIgyI5JIPJRc+KAPVsjOOa1
+  vYx8N/VazTPWEIEtCMXG5wwR2P+ws/mzU9ztcDd4E1Hh5k8bRsu/krTGn783
+  QF1I+FEod9tYd1vMMpRkd1nkGq0GJtRHv9Xteb3DN6XJkdrdMaNpKw8Cemj/
+  N96wTtcL72LvogBpgzueQJ8+XdyFJCmWqk1lQV7pyllOIcnXrIcAz9E7TRXz
+  kCjq3Lr2MPnpptV8CDhoIUuEiNfGAQIWa3DQJIPzuz5gtug9Am1XDvbg9Bxx
+  VQ2FmjCBrQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQAjUES6mKmlxRmzIZ
+  wu7L04CBgACGs/1vQi4G6v4Lz99FyonAjwsGU/texX/8Xgchp7emzkgLgqqz
+  BnDIXQukEIHBA5sBiBSYbvztTj99QQ2+hjS0fIyclQHa1xACtzeWJeGuf7Wh
+  /SVEJY3QpTspf98UwahjqrDLrGNK/my8Wc0U4ji4dozFhDl1WGcTyYUp5Zgn]
+
+aes::auth::keytab_devel_base64: >
+  ENC[PKCS7,MIIB6wYJKoZIhvcNAQcDoIIB3DCCAdgCAQAxggEhMIIBHQIBADAFMAACAQEw
+  DQYJKoZIhvcNAQEBBQAEggEAIlqY2OywFv+nNU225WBoKCqDOoPLak73Di0u
+  Qm+zyFOroYQMYfzvCQ38U41wQanG3TdRaK9G9EoG3uX9qR/9AEYi9YWCq/YN
+  uhR7baNq4TEGsIkf/DoeMPh/LJGgQm8UGgRFj2cxTVERe/g1PC54LzuvmuHj
+  lk2KS1MYltGhnZoumczTFlk+1qGwzTzyGglSxt8EFbDJgLr5YEwWbgyhHQVg
+  C1HK53N5UeCUdJrRePDOoSfhXTq2TkzcmeuO6DMV+3pnb6IXdweBQTDikGnM
+  Bd5GSOx0U0njCVOeXqSmWAhDu2hCtryshbhhhiv+qL7cQ5yDulZIj6YaRb0X
+  CNCuXDCBrQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ1yi1qYaUepK4KbkL
+  YTGfO4CBgKPQ++rfV6Nw1M5qPgLS6gsvkOEAe+9FFiFWH1uTNqoZX9jSO4tZ
+  F0y5pwJ4OpjQS0oiInF+rxET2PTnND6yNtxeSkBncAWnNHA80Z2U7BOZG6Lw
+  BbBuhpmotOaWx2thqdb2sCNlj3yZMT1k62VXU8rBqzRA3Vj7jiRiXXxcSnnQ]
+
 aes::tal_cli::credentials: >
   ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBAD
   AFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAii6nHpFM6+6aPuw1Qnawf77K7f
diff --git a/manifests/auth.pp b/manifests/auth.pp
index ae5ba62684f4ebce9b72e35671886bdb0948a2be..d950cb853451312c4c36d2e44f28d3a47eb0a280 100644
--- a/manifests/auth.pp
+++ b/manifests/auth.pp
@@ -1,12 +1,28 @@
+#  # New keytab base64+pkcs7 encoded
+#  Optional[String] $keytab_base64      = undef, # Kerberos keytab file for HTTP/fqdn (ida-web)
+#  Optional[String] $keytab2_base64     = undef, # Kerberos keytab file for HTTP/fqdn (ida-web2)
+#) {
 class aes::auth (
-  Optional[String] $keytab_production = undef,
-  Optional[String] $keytab_devel = undef
+  # Comment out old keytab params but
+  # keep temporay for comparison
+  #
+  # # Existing keytabs
+  # Optional[String] $keytab_production = undef,
+  # Optional[String] $keytab_devel = undef
+  #
+  # new base64+pkcs7 keytabs
+  Optional[String] $keytab_production_base64 = undef,
+  Optional[String] $keytab_devel_base64 = undef
 ) {
   $auth_user = auth
   $auth_group = $auth_user
   $auth_home = "/srv/${auth_user}"
   $auth_service = 'aes_auth'
 
+  # Decode base64 encoded keytabs
+  $keytab_production  = Binary.new($keytab_production_base64, '%b')
+  $keytab_devel = Binary.new($keytab_devel_base64, '%b')
+
   # Pick the right keytab for the current environment. We use the fqdn rather than 
   # $environment since the keys are tied to the domain name rather than what 
   # environment the machine is configured in.