diff --git a/docs/aclpolkit.html.in b/docs/aclpolkit.html.in
index dae0814a82..dd4c5fb3ab 100644
--- a/docs/aclpolkit.html.in
+++ b/docs/aclpolkit.html.in
@@ -224,6 +224,10 @@
           <td>secret_usage_target</td>
           <td>Name of the associated iSCSI target, if any</td>
         </tr>
+        <tr>
+          <td>secret_usage_name</td>
+          <td>Name of the associated TLS secret, if any</td>
+        </tr>
       </tbody>
     </table>
 
diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in
index 216a83cca6..e4bf50f9e7 100644
--- a/docs/formatsecret.html.in
+++ b/docs/formatsecret.html.in
@@ -41,8 +41,9 @@
       <dd>
         Specifies what this secret is used for.  A mandatory
         <code>type</code> attribute specifies the usage category, currently
-        only <code>volume</code>, <code>ceph</code>, and <code>iscsi</code>
-        are defined. Specific usage categories are described below.
+        only <code>volume</code>, <code>ceph</code>, <code>iscsi</code>,
+        and <code>tls</code> are defined. Specific usage categories
+        are described below.
       </dd>
     </dl>
 
@@ -271,5 +272,59 @@
       &lt;/auth&gt;
     </pre>
 
+    <h3><a name="tlsUsageType">Usage type "tls"</a></h3>
+
+    <p>
+      This secret may be used in order to provide the passphrase for the
+      private key used to provide TLS credentials.
+      The <code>&lt;usage type='tls'&gt;</code> element must contain a
+      single <code>name</code> element that specifies a usage name
+      for the secret.
+      <span class="since">Since 2.3.0</span>.
+      The following is an example of the expected XML and processing to
+      define the secret:
+    </p>
+
+    <pre>
+      # cat tls-secret.xml
+      &lt;secret ephemeral='no' private='yes'&gt;
+         &lt;description&gt;sample tls secret&lt;/description&gt;
+         &lt;usage type='tls'&gt;
+            &lt;name&gt;TLS_example&lt;/name&gt;
+         &lt;/usage&gt;
+      &lt;/secret&gt;
+
+      # virsh secret-define tls-secret.xml
+      Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created
+
+      # virsh secret-list
+       UUID                                 Usage
+      -----------------------------------------------------------
+       718c71bd-67b5-4a2b-87ec-a24e8ca200dc  tls TLS_example
+      #
+
+    </pre>
+
+    <p>
+      A secret may also be defined via the
+      <a href="html/libvirt-libvirt-secret.html#virSecretDefineXML">
+       <code>virSecretDefineXML</code></a> API.
+
+      Once the secret is defined, a secret value will need to be set. The
+      secret would be the passphrase used to access the TLS credentials.
+      The following is a simple example of using
+      <code>virsh secret-set-value</code> to set the secret value. The
+      <a href="html/libvirt-libvirt-secret.html#virSecretSetValue">
+      <code>virSecretSetValue</code></a> API may also be used to set
+      a more secure secret without using printable/readable characters.
+    </p>
+
+    <pre>
+      # MYSECRET=`printf %s "letmein" | base64`
+      # virsh secret-set-value 718c71bd-67b5-4a2b-87ec-a24e8ca200dc $MYSECRET
+      Secret value set
+
+    </pre>
+
   </body>
 </html>
diff --git a/docs/schemas/secret.rng b/docs/schemas/secret.rng
index e21e700325..1e94d66e48 100644
--- a/docs/schemas/secret.rng
+++ b/docs/schemas/secret.rng
@@ -36,6 +36,7 @@
               <ref name='usagevolume'/>
               <ref name='usageceph'/>
               <ref name='usageiscsi'/>
+              <ref name='usagetls'/>
               <!-- More choices later -->
             </choice>
           </element>
@@ -71,4 +72,13 @@
     </element>
   </define>
 
+  <define name='usagetls'>
+    <attribute name='type'>
+      <value>tls</value>
+    </attribute>
+    <element name='name'>
+      <ref name='genericName'/>
+    </element>
+  </define>
+
 </grammar>
diff --git a/include/libvirt/libvirt-secret.h b/include/libvirt/libvirt-secret.h
index 02728ba6cd..2ae36f66b1 100644
--- a/include/libvirt/libvirt-secret.h
+++ b/include/libvirt/libvirt-secret.h
@@ -43,6 +43,7 @@ typedef enum {
     VIR_SECRET_USAGE_TYPE_VOLUME = 1,
     VIR_SECRET_USAGE_TYPE_CEPH = 2,
     VIR_SECRET_USAGE_TYPE_ISCSI = 3,
+    VIR_SECRET_USAGE_TYPE_TLS = 4,
 
 # ifdef VIR_ENUM_SENTINELS
     VIR_SECRET_USAGE_TYPE_LAST
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
index 89bc8908f2..0d9e0a148a 100644
--- a/src/access/viraccessdriverpolkit.c
+++ b/src/access/viraccessdriverpolkit.c
@@ -338,6 +338,19 @@ virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager,
                                           virAccessPermSecretTypeToString(perm),
                                           attrs);
     }   break;
+    case VIR_SECRET_USAGE_TYPE_TLS: {
+        const char *attrs[] = {
+                    "connect_driver", driverName,
+                    "secret_uuid", uuidstr,
+                    "secret_usage_name", secret->usage.name,
+                    NULL,
+                };
+
+        return virAccessDriverPolkitCheck(manager,
+                                         "secret",
+                                         virAccessPermSecretTypeToString(perm),
+                                         attrs);
+    }   break;
     }
 }
 
diff --git a/src/conf/secret_conf.c b/src/conf/secret_conf.c
index d510645496..e662455736 100644
--- a/src/conf/secret_conf.c
+++ b/src/conf/secret_conf.c
@@ -30,6 +30,7 @@
 #include "secret_conf.h"
 #include "virsecretobj.h"
 #include "virerror.h"
+#include "virstring.h"
 #include "virxml.h"
 #include "viruuid.h"
 
@@ -38,7 +39,7 @@
 VIR_LOG_INIT("conf.secret_conf");
 
 VIR_ENUM_IMPL(virSecretUsage, VIR_SECRET_USAGE_TYPE_LAST,
-              "none", "volume", "ceph", "iscsi")
+              "none", "volume", "ceph", "iscsi", "tls")
 
 const char *
 virSecretUsageIDForDef(virSecretDefPtr def)
@@ -56,6 +57,9 @@ virSecretUsageIDForDef(virSecretDefPtr def)
     case VIR_SECRET_USAGE_TYPE_ISCSI:
         return def->usage.target;
 
+    case VIR_SECRET_USAGE_TYPE_TLS:
+        return def->usage.name;
+
     default:
         return NULL;
     }
@@ -85,6 +89,10 @@ virSecretDefFree(virSecretDefPtr def)
         VIR_FREE(def->usage.target);
         break;
 
+    case VIR_SECRET_USAGE_TYPE_TLS:
+        VIR_FREE(def->usage.name);
+        break;
+
     default:
         VIR_ERROR(_("unexpected secret usage type %d"), def->usage_type);
         break;
@@ -145,6 +153,15 @@ virSecretDefParseUsage(xmlXPathContextPtr ctxt,
         }
         break;
 
+    case VIR_SECRET_USAGE_TYPE_TLS:
+        def->usage.name = virXPathString("string(./usage/name)", ctxt);
+        if (!def->usage.name) {
+            virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                           _("TLS usage specified, but name is missing"));
+            return -1;
+        }
+        break;
+
     default:
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        _("unexpected secret usage type %d"),
@@ -297,6 +314,10 @@ virSecretDefFormatUsage(virBufferPtr buf,
         virBufferEscapeString(buf, "<target>%s</target>\n", def->usage.target);
         break;
 
+    case VIR_SECRET_USAGE_TYPE_TLS:
+        virBufferEscapeString(buf, "<name>%s</name>\n", def->usage.name);
+        break;
+
     default:
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        _("unexpected secret usage type %d"),
diff --git a/src/conf/secret_conf.h b/src/conf/secret_conf.h
index 4584403dcb..c34880fb09 100644
--- a/src/conf/secret_conf.h
+++ b/src/conf/secret_conf.h
@@ -40,6 +40,7 @@ struct _virSecretDef {
         char *volume;               /* May be NULL */
         char *ceph;
         char *target;
+        char *name;
     } usage;
 };
 
diff --git a/src/conf/virsecretobj.c b/src/conf/virsecretobj.c
index 30a5e80f6e..2bdfe08eab 100644
--- a/src/conf/virsecretobj.c
+++ b/src/conf/virsecretobj.c
@@ -237,6 +237,11 @@ virSecretObjSearchName(const void *payload,
         if (STREQ(secret->def->usage.target, data->usageID))
             found = 1;
         break;
+
+    case VIR_SECRET_USAGE_TYPE_TLS:
+        if (STREQ(secret->def->usage.name, data->usageID))
+            found = 1;
+        break;
     }
 
  cleanup:
diff --git a/tests/secretxml2xmlin/usage-tls.xml b/tests/secretxml2xmlin/usage-tls.xml
new file mode 100644
index 0000000000..88068b56e0
--- /dev/null
+++ b/tests/secretxml2xmlin/usage-tls.xml
@@ -0,0 +1,7 @@
+<secret ephemeral='no' private='no'>
+  <uuid>f52a81b2-424e-490c-823d-6bd4235bc572</uuid>
+  <description>Sample TLS Secret</description>
+  <usage type='tls'>
+    <name>mumblyfratz</name>
+  </usage>
+</secret>
diff --git a/tests/secretxml2xmltest.c b/tests/secretxml2xmltest.c
index 8dcbb40080..714c709090 100644
--- a/tests/secretxml2xmltest.c
+++ b/tests/secretxml2xmltest.c
@@ -80,6 +80,7 @@ mymain(void)
     DO_TEST("usage-volume");
     DO_TEST("usage-ceph");
     DO_TEST("usage-iscsi");
+    DO_TEST("usage-tls");
 
     return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 }