diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 988201e3f9..73ebeda011 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -29,6 +29,7 @@ module Libvirtd_qemu =
    (* Config entry grouped by function - same order as example config *)
    let default_tls_entry = str_entry "default_tls_x509_cert_dir"
                  | bool_entry "default_tls_x509_verify"
+                 | str_entry "default_tls_x509_secret_uuid"
 
    let vnc_entry = str_entry "vnc_listen"
                  | bool_entry "vnc_auto_unix_socket"
@@ -51,6 +52,7 @@ module Libvirtd_qemu =
    let chardev_entry = bool_entry "chardev_tls"
                  | str_entry "chardev_tls_x509_cert_dir"
                  | bool_entry "chardev_tls_x509_verify"
+                 | str_entry "chardev_tls_x509_secret_uuid"
 
    let nogfx_entry = bool_entry "nographics_allow_host_audio"
 
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index e4c2aae2ec..c4fcb6d435 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -28,6 +28,20 @@
 #
 #default_tls_x509_verify = 1
 
+#
+# Libvirt assumes the server-key.pem file is unencrypted by default.
+# To use an encrypted server-key.pem file, the password to decrypt
+# the PEM file is required. This can be provided by creating a secret
+# object in libvirt and then to uncomment this setting to set the UUID
+# of the secret.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
 # VNC is configured to listen on 127.0.0.1 by default.
 # To make it listen on all public interfaces, uncomment
 # this next option.
@@ -214,6 +228,16 @@
 #chardev_tls_x509_verify = 1
 
 
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
 # By default, if no graphical front end is configured, libvirt will disable
 # QEMU audio output since directly talking to alsa/pulseaudio may not work
 # with various security settings. If you know what you're doing, enable
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 635fa27736..109668bc35 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -365,6 +365,7 @@ static void virQEMUDriverConfigDispose(void *obj)
     VIR_FREE(cfg->nvramDir);
 
     VIR_FREE(cfg->defaultTLSx509certdir);
+    VIR_FREE(cfg->defaultTLSx509secretUUID);
 
     VIR_FREE(cfg->vncTLSx509certdir);
     VIR_FREE(cfg->vncListen);
@@ -377,6 +378,7 @@ static void virQEMUDriverConfigDispose(void *obj)
     VIR_FREE(cfg->spiceSASLdir);
 
     VIR_FREE(cfg->chardevTLSx509certdir);
+    VIR_FREE(cfg->chardevTLSx509secretUUID);
 
     while (cfg->nhugetlbfs) {
         cfg->nhugetlbfs--;
@@ -446,6 +448,10 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
         goto cleanup;
     if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify) < 0)
         goto cleanup;
+    if (virConfGetValueString(conf, "default_tls_x509_secret_uuid",
+                              &cfg->defaultTLSx509secretUUID) < 0)
+        goto cleanup;
+
     if (virConfGetValueBool(conf, "vnc_auto_unix_socket", &cfg->vncAutoUnixSocket) < 0)
         goto cleanup;
     if (virConfGetValueBool(conf, "vnc_tls", &cfg->vncTLS) < 0)
@@ -513,6 +519,14 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
         goto cleanup;
     if (rv == 0)
         cfg->chardevTLSx509verify = cfg->defaultTLSx509verify;
+    if (virConfGetValueString(conf, "chardev_tls_x509_secret_uuid",
+                              &cfg->chardevTLSx509secretUUID) < 0)
+        goto cleanup;
+    if (!cfg->chardevTLSx509secretUUID && cfg->defaultTLSx509secretUUID) {
+        if (VIR_STRDUP(cfg->chardevTLSx509secretUUID,
+                       cfg->defaultTLSx509secretUUID) < 0)
+            goto cleanup;
+    }
 
     if (virConfGetValueUInt(conf, "remote_websocket_port_min", &cfg->webSocketPortMin) < 0)
         goto cleanup;
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index d32689a000..12b2661d04 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -111,6 +111,7 @@ struct _virQEMUDriverConfig {
 
     char *defaultTLSx509certdir;
     bool defaultTLSx509verify;
+    char *defaultTLSx509secretUUID;
 
     bool vncAutoUnixSocket;
     bool vncTLS;
@@ -132,6 +133,7 @@ struct _virQEMUDriverConfig {
     bool chardevTLS;
     char *chardevTLSx509certdir;
     bool chardevTLSx509verify;
+    char *chardevTLSx509secretUUID;
 
     unsigned int remotePortMin;
     unsigned int remotePortMax;
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index cd162ae1a6..805fa0e55e 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -4,6 +4,7 @@ module Test_libvirtd_qemu =
    test Libvirtd_qemu.lns get conf =
 { "default_tls_x509_cert_dir" = "/etc/pki/qemu" }
 { "default_tls_x509_verify" = "1" }
+{ "default_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "vnc_listen" = "0.0.0.0" }
 { "vnc_auto_unix_socket" = "1" }
 { "vnc_tls" = "1" }
@@ -23,6 +24,7 @@ module Test_libvirtd_qemu =
 { "chardev_tls" = "1" }
 { "chardev_tls_x509_cert_dir" = "/etc/pki/libvirt-chardev" }
 { "chardev_tls_x509_verify" = "1" }
+{ "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "nographics_allow_host_audio" = "1" }
 { "remote_display_port_min" = "5900" }
 { "remote_display_port_max" = "65535" }