diff --git a/REFERENCE.md b/REFERENCE.md
index 15bcf45a..f647c081 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -531,7 +531,7 @@ Default value: `'0600'`
 
 ##### <a name="-openssl--certificate--x509--password"></a>`password`
 
-Data type: `Optional[String]`
+Data type: `Optional[Variant[Sensitive[String], String]]`
 
 private key password. undef means no passphrase
 will be used to encrypt private key.
@@ -953,7 +953,7 @@ Default value: `$title`
 
 ##### <a name="-openssl--export--pem_cert--in_pass"></a>`in_pass`
 
-Data type: `Optional[String]`
+Data type: `Optional[Variant[Sensitive[String], String]]`
 
 PFX password
 
@@ -997,7 +997,7 @@ Default value: `present`
 
 ##### <a name="-openssl--export--pem_key--in_pass"></a>`in_pass`
 
-Data type: `Optional[String]`
+Data type: `Optional[Variant[Sensitive[String], String]]`
 
 PFX container password
 
@@ -1005,7 +1005,7 @@ Default value: `undef`
 
 ##### <a name="-openssl--export--pem_key--out_pass"></a>`out_pass`
 
-Data type: `Optional[String]`
+Data type: `Optional[Variant[Sensitive[String], String]]`
 
 PEM key password
 
@@ -1055,7 +1055,7 @@ Default value: `present`
 
 ##### <a name="-openssl--export--pkcs12--in_pass"></a>`in_pass`
 
-Data type: `Optional[String]`
+Data type: `Optional[Variant[Sensitive[String], String]]`
 
 Private key password
 
@@ -1063,7 +1063,7 @@ Default value: `undef`
 
 ##### <a name="-openssl--export--pkcs12--out_pass"></a>`out_pass`
 
-Data type: `Optional[String]`
+Data type: `Optional[Variant[Sensitive[String], String]]`
 
 PKCS12 password
 
diff --git a/lib/puppet/provider/ssl_pkey/openssl.rb b/lib/puppet/provider/ssl_pkey/openssl.rb
index 8ca7df99..f99181f4 100644
--- a/lib/puppet/provider/ssl_pkey/openssl.rb
+++ b/lib/puppet/provider/ssl_pkey/openssl.rb
@@ -26,7 +26,11 @@ def self.generate_key(resource)
   def self.to_pem(resource, key)
     if resource[:password]
       cipher = OpenSSL::Cipher.new('des3')
-      key.to_pem(cipher, resource[:password])
+      if resource[:password].respond_to?(:unwrap)
+        Puppet::Pops::Types::PSensitiveType::Sensitive.new(key.to_pem(cipher, resource[:password].unwrap))
+      else
+        key.to_pem(cipher, resource[:password])
+      end
     else
       key.to_pem
     end
diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb
index e5262a71..cdca9ae4 100644
--- a/lib/puppet/provider/x509_cert/openssl.rb
+++ b/lib/puppet/provider/x509_cert/openssl.rb
@@ -10,11 +10,23 @@ def self.private_key(resource)
     file = File.read(resource[:private_key])
     case resource[:authentication]
     when :dsa
-      OpenSSL::PKey::DSA.new(file, resource[:password])
+      if resource[:password].respond_to?(:unwrap)
+        Puppet::Pops::Types::PSensitiveType::Sensitive.new(OpenSSL::PKey::DSA.new(file, resource[:password].unwrap))
+      else
+        OpenSSL::PKey::DSA.new(file, resource[:password])
+      end
     when :rsa
-      OpenSSL::PKey::RSA.new(file, resource[:password])
+      if resource[:password].respond_to?(:unwrap)
+        Puppet::Pops::Types::PSensitiveType::Sensitive.new(OpenSSL::PKey::RSA.new(file, resource[:password].unwrap))
+      else
+        OpenSSL::PKey::RSA.new(file, resource[:password])
+      end
     when :ec
-      OpenSSL::PKey::EC.new(file, resource[:password])
+      if resource[:password].respond_to?(:unwrap)
+        Puppet::Pops::Types::PSensitiveType::Sensitive.new(OpenSSL::PKey::EC.new(file, resource[:password].unwrap))
+      else
+        OpenSSL::PKey::EC.new(file, resource[:password])
+      end
     else
       raise Puppet::Error,
             "Unknown authentication type '#{resource[:authentication]}'"
@@ -99,7 +111,11 @@ def create
         '-out', resource[:path]
       ]
     end
-    options << ['-passin', "pass:#{resource[:password]}"] if resource[:password]
+    if resource[:password].respond_to?(:unwrap)
+      options << ['-passin', "pass:#{resource[:password].unwrap}"]
+    elsif resource[:password]
+      options << ['-passin', "pass:#{resource[:password]}"]
+    end
     options << ['-extensions', 'v3_req'] if resource[:req_ext] != :false
     openssl options
   end
diff --git a/lib/puppet/provider/x509_request/openssl.rb b/lib/puppet/provider/x509_request/openssl.rb
index 3a17d8e3..5e9ae8d2 100644
--- a/lib/puppet/provider/x509_request/openssl.rb
+++ b/lib/puppet/provider/x509_request/openssl.rb
@@ -10,11 +10,23 @@ def self.private_key(resource)
     file = File.read(resource[:private_key])
     case resource[:authentication]
     when :dsa
-      OpenSSL::PKey::DSA.new(file, resource[:password])
+      if resource[:password].respond_to?(:unwrap)
+        Puppet::Pops::Types::PSensitiveType::Sensitive.new(OpenSSL::PKey::DSA.new(file, resource[:password].unwrap))
+      else
+        OpenSSL::PKey::DSA.new(file, resource[:password])
+      end
     when :rsa
-      OpenSSL::PKey::RSA.new(file, resource[:password])
+      if resource[:password].respond_to?(:unwrap)
+        Puppet::Pops::Types::PSensitiveType::Sensitive.new(OpenSSL::PKey::RSA.new(file, resource[:password].unwrap))
+      else
+        OpenSSL::PKey::RSA.new(file, resource[:password])
+      end
     when :ec
-      OpenSSL::PKey::EC.new(file, resource[:password])
+      if resource[:password].respond_to?(:unwrap)
+        Puppet::Pops::Types::PSensitiveType::Sensitive.new(OpenSSL::PKey::EC.new(file, resource[:password].unwrap))
+      else
+        OpenSSL::PKey::EC.new(file, resource[:password])
+      end
     else
       raise Puppet::Error,
             "Unknown authentication type '#{resource[:authentication]}'"
@@ -45,7 +57,11 @@ def create
       '-out', resource[:path]
     ]
 
-    options << ['-passin', "pass:#{resource[:password]}"] if resource[:password]
+    if resource[:password]&.respond_to?(:unwrap)
+      options << ['-passin', "pass:#{resource[:password].unwrap}"]
+    elsif resource[:password]
+      options << ['-passin', "pass:#{resource[:password]}"]
+    end
     options << ['-nodes'] unless resource[:encrypted]
 
     openssl options
diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp
index 7543d7e5..b50404bf 100644
--- a/manifests/certificate/x509.pp
+++ b/manifests/certificate/x509.pp
@@ -142,7 +142,7 @@
   Variant[String, Integer]       $key_owner = $owner,
   Variant[String, Integer]       $key_group = $group,
   Stdlib::Filemode               $key_mode = '0600',
-  Optional[String]               $password = undef,
+  Optional[Variant[Sensitive[String], String]] $password = undef,
   Boolean                        $force = true,
   Boolean                        $encrypted = true,
   Optional[Stdlib::Absolutepath] $ca = undef,
diff --git a/manifests/export/pem_cert.pp b/manifests/export/pem_cert.pp
index 26ba3d36..e16c4a1c 100644
--- a/manifests/export/pem_cert.pp
+++ b/manifests/export/pem_cert.pp
@@ -16,7 +16,7 @@
   Stdlib::Absolutepath            $pem_cert = $title,
   Optional[Stdlib::Absolutepath]  $pfx_cert = undef,
   Optional[Stdlib::Absolutepath]  $der_cert = undef,
-  Optional[String]                $in_pass  = undef,
+  Optional[Variant[Sensitive[String], String]] $in_pass = undef,
 
 ) {
   #local variables
@@ -40,6 +40,7 @@
     $module_opt   = ''
   }
 
+  $is_sensitive = ($in_pass =~ Sensitive)
   $passin_opt = $in_pass ? {
     undef   => '',
     default => "-nokeys -passin pass:'${in_pass}'",
@@ -52,10 +53,10 @@
       "-in ${in_cert}",
       "-out ${pem_cert}",
       $passin_opt,
-    ]
+    ].join(' ')
 
     exec { "Export ${in_cert} to ${pem_cert}":
-      command => inline_template('<%= @cmd.join(" ") %>'),
+      command => if $is_sensitive { Sensitive($cmd) } else { $cmd },
       path    => $facts['path'],
       creates => $pem_cert,
     }
diff --git a/manifests/export/pem_key.pp b/manifests/export/pem_key.pp
index 514dd73a..2d03581d 100644
--- a/manifests/export/pem_key.pp
+++ b/manifests/export/pem_key.pp
@@ -15,10 +15,11 @@
   Stdlib::Absolutepath      $pfx_cert,
   Stdlib::Absolutepath      $pem_key  = $title,
   Enum['present', 'absent'] $ensure   = present,
-  Optional[String]          $in_pass  = undef,
-  Optional[String]          $out_pass = undef,
+  Optional[Variant[Sensitive[String], String]] $in_pass  = undef,
+  Optional[Variant[Sensitive[String], String]] $out_pass = undef,
 ) {
   if $ensure == 'present' {
+    $is_sensitive = ($in_pass =~ Sensitive or $out_pass =~ Sensitive)
     $passin_opt = $in_pass ? {
       undef   => '',
       default => "-passin pass:'${in_pass}'",
@@ -36,10 +37,10 @@
       '-nocerts',
       $passin_opt,
       $passout_opt,
-    ]
+    ].join(' ')
 
     exec { "Export ${pfx_cert} to ${pem_key}":
-      command => inline_template('<%= @cmd.join(" ") %>'),
+      command => if $is_sensitive { Sensitive($cmd) } else { $cmd },
       path    => $facts['path'],
       creates => $pem_key,
     }
diff --git a/manifests/export/pkcs12.pp b/manifests/export/pkcs12.pp
index 69ef26e2..57c7a976 100644
--- a/manifests/export/pkcs12.pp
+++ b/manifests/export/pkcs12.pp
@@ -21,18 +21,19 @@
   Stdlib::Absolutepath      $cert,
   Enum['present', 'absent'] $ensure    = present,
   Optional[String]          $chaincert = undef,
-  Optional[String]          $in_pass   = undef,
-  Optional[String]          $out_pass  = undef,
+  Optional[Variant[Sensitive[String], String]] $in_pass  = undef,
+  Optional[Variant[Sensitive[String], String]] $out_pass = undef,
 ) {
   if $ensure == 'present' {
+    $is_sensitive = ($in_pass =~ Sensitive or $out_pass =~ Sensitive)
     $pass_opt = $in_pass ? {
       undef   => '',
-      default => "-passin pass:${in_pass}",
+      default => "-passin pass:${in_pass.unwrap}",
     }
 
     $passout_opt = $out_pass ? {
       undef   => '',
-      default => "-passout pass:${out_pass}",
+      default => "-passout pass:${out_pass.unwrap}",
     }
 
     $chain_opt = $chaincert ? {
@@ -50,10 +51,10 @@
       $chain_opt,
       $pass_opt,
       $passout_opt,
-    ]
+    ].join(' ')
 
     exec { "Export ${name} to ${basedir}/${name}.p12":
-      command => inline_template('<%= @cmd.join(" ") %>'),
+      command => if $is_sensitive { Sensitive($cmd) } else { $cmd },
       path    => $facts['path'],
       creates => "${basedir}/${name}.p12",
     }