diff --git a/deploy.tf b/deploy.tf
index bed6ab3035509fe02c51160bb0138b6bd67cc88f..db58a8e268b77744c518a6770ff85a94f31f6379 100644
--- a/deploy.tf
+++ b/deploy.tf
@@ -135,8 +135,12 @@ resource "openstack_compute_volume_attach_v2" "volume-attach" {
 	volume_id   = openstack_blockstorage_volume_v3.volume[count.index].id
 }
 
-variable "secrets" {
-	type = map(string)
+resource "random_password" "secrets" {
+	count = 3
+	length = "36"
+	keepers = {
+		masterid = openstack_compute_instance_v2.server[0].id
+	}
 }
 
 output "config" {
@@ -147,7 +151,11 @@ output "config" {
 		master_hostname = var.master_hostname,
 		node_hostname = var.node_hostname,
 		type = var.type,
-		secrets = var.secrets,
+		secrets = {
+			http_signature_secret = random_password.secrets[0].result,
+			kerberos_admin_password = random_password.secrets[1].result,
+			kerberos_master_password = random_password.secrets[2].result,
+		},
 		volumes = var.volumes,
 	}
 	sensitive = true
diff --git a/launch.sh b/launch.sh
index 383772d64d83f20df734ef661f5d9ccd1b930bdb..5abc3072d76d54988018865fa40eb2b0b34cb7c1 100755
--- a/launch.sh
+++ b/launch.sh
@@ -2,18 +2,6 @@
 
 TERRAFORM="`PATH=$PATH:. which terraform`"
 
-if [ ! -s ./secrets.auto.tfvars ]; then
-	touch ./secrets.auto.tfvars
-	chmod 0600 ./secrets.auto.tfvars
-	{
-		echo 'secrets = {'
-		for k in kerberos_master_password kerberos_admin_password http_signature_secret; do
-			echo "	$k = \"`dd if=/dev/random bs=27 count=1 2>/dev/null | base64 -`\""
-		done
-		echo "}"
-	} >> ./secrets.auto.tfvars
-fi
-
 $TERRAFORM init >/dev/null
 
 $TERRAFORM apply -auto-approve "$@"
diff --git a/secrets.auto.tfvars.example b/secrets.auto.tfvars.example
deleted file mode 100644
index 6a513a791edfa5ecb0fa03d268c504da1ee30ddd..0000000000000000000000000000000000000000
--- a/secrets.auto.tfvars.example
+++ /dev/null
@@ -1,5 +0,0 @@
-secrets = {
-	kerberos_master_password = "SECRET"
-	kerberos_admin_password = "SECRET"
-	http_signature_secret = "SECRET"
-}