diff --git a/image/config.json b/image/config.json
index 47c4c67e8b8ef5f8f5fbd302ca9c9894c1dfab0d..d7da3fb7b06590a6c73f3ae1f54e58470876988d 100644
--- a/image/config.json
+++ b/image/config.json
@@ -23,9 +23,9 @@
       "n": "0",
       "node_hostname": "node",
       "secrets": {
-        "http_signature_secret": "UNUSED",
-        "kerberos_admin_password": "UNUSED",
-        "kerberos_master_password": "UNUSED"
+        "http_signature_secret": "@SECRET@",
+        "kerberos_admin_password": "@SECRET@",
+        "kerberos_master_password": "@SECRET@"
       },
       "type": "hadoop-single"
     }
diff --git a/image/scripts/hadoop-single-setup.sh b/image/scripts/hadoop-single-setup.sh
index 0e457e43d9ccb920cc426d2802c149d78eec6920..5c5504d48218d96277d13292a4f6eca61c2737f1 100755
--- a/image/scripts/hadoop-single-setup.sh
+++ b/image/scripts/hadoop-single-setup.sh
@@ -19,9 +19,14 @@ service puppet-master restart
 
 puppet config set server `hostname -f`
 puppet config set --section agent http_read_timeout 30
+f=/etc/puppet/code/environments/production/manifests/site.pp
+while grep -q '@SECRET@' $f; do
+	k="`dd if=/dev/random bs=27 count=1 2>/dev/null | base64 -`"
+	sed -i "0,/@SECRET@/s,@SECRET,$k," $f
+done
 puppet agent --test 2>&1 | tee stage1.log
 if test $? = 0 -o $? = 2; then
-	sed -i "s/^\\(\$hdfs_deployed\\s*=\\s*\\).*/\\1true/" /etc/puppet/code/environments/production/manifests/site.pp
+	sed -i "s/^\\(\$hdfs_deployed\\s*=\\s*\\).*/\\1true/" $f
 	puppet agent --test 2>&1 | tee stage2.log
 else
 	echo "First stage setup failed"