diff --git a/manifests/init.pp b/manifests/init.pp
index a3dde8393..bb6edff9c 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -226,7 +226,7 @@
   Optional[Stdlib::Port] $db_port = undef,
   String[1] $db_database = 'foreman',
   String[1] $db_username = 'foreman',
-  String[1] $db_password = $foreman::params::db_password,
+  Variant[String[1], Sensitive[String[1]]] $db_password = $foreman::params::db_password,
   Optional[String[1]] $db_sslmode = undef,
   Optional[String[1]] $db_root_cert = undef,
   Optional[Integer[0]] $db_pool = undef,
diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb
index 35e4a2d65..89fad98f7 100644
--- a/spec/classes/foreman_spec.rb
+++ b/spec/classes/foreman_spec.rb
@@ -484,6 +484,17 @@
 
         it { should contain_user('foreman').with('groups' => []) }
       end
+
+      describe 'with sensitive passwords' do
+        let(:params) do
+          super().merge(db_password: sensitive('secret'))
+        end
+
+        it 'should configure the database' do
+          should contain_file('/etc/foreman/database.yml')
+            .with_content(sensitive(/password: "secret"/))
+        end
+      end
     end
   end
 end
diff --git a/templates/database.yml.epp b/templates/database.yml.epp
index 7e45e2627..444cdfd10 100644
--- a/templates/database.yml.epp
+++ b/templates/database.yml.epp
@@ -30,6 +30,6 @@
   username: <%= $username %>
 <% } -%>
 <% if $password { -%>
-  password: "<%= $password %>"
+  password: <%= stdlib::to_ruby($password) %>
 <% } -%>
   pool: <%= $db_pool %>