diff --git a/.gitignore b/.gitignore
index 9ad159ecfd..cf39177250 100644
--- a/.gitignore
+++ b/.gitignore
@@ -166,6 +166,9 @@
 /src/remote/virtproxyd.conf
 /src/rpc/virkeepaliveprotocol.[ch]
 /src/rpc/virnetprotocol.[ch]
+/src/secret/test_virtsecretd.aug
+/src/secret/virtsecretd.aug
+/src/secret/virtsecretd.conf
 /src/test*.aug
 /src/util/virkeycodetable*.h
 /src/util/virkeynametable*.h
@@ -173,6 +176,7 @@
 /src/virtlockd
 /src/virtlogd
 /src/virtproxyd
+/src/virtsecretd
 /src/virt-guest-shutdown.target
 /tests/*.log
 /tests/*.pid
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 2acff40ea7..31da3f7581 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1634,6 +1634,14 @@ exit 0
 %{_libdir}/%{name}/connection-driver/libvirt_driver_nwfilter.so
 
 %files daemon-driver-secret
+%config(noreplace) %{_sysconfdir}/libvirt/virtsecretd.conf
+%{_datadir}/augeas/lenses/virtsecretd.aug
+%{_datadir}/augeas/lenses/tests/test_virtsecretd.aug
+%{_unitdir}/virtsecretd.service
+%{_unitdir}/virtsecretd.socket
+%{_unitdir}/virtsecretd-ro.socket
+%{_unitdir}/virtsecretd-admin.socket
+%attr(0755, root, root) %{_sbindir}/virtsecretd
 %{_libdir}/%{name}/connection-driver/libvirt_driver_secret.so
 
 %files daemon-driver-storage
diff --git a/src/secret/Makefile.inc.am b/src/secret/Makefile.inc.am
index 7a1c8f8e1a..37f816406e 100644
--- a/src/secret/Makefile.inc.am
+++ b/src/secret/Makefile.inc.am
@@ -37,4 +37,67 @@ libvirt_driver_secret_la_LIBADD = \
 	$(NULL)
 libvirt_driver_secret_la_LDFLAGS = $(AM_LDFLAGS_MOD_NOUNDEF)
 libvirt_driver_secret_la_SOURCES = $(SECRET_DRIVER_SOURCES)
+
+sbin_PROGRAMS += virtsecretd
+
+nodist_conf_DATA += secret/virtsecretd.conf
+augeas_DATA += secret/virtsecretd.aug
+augeastest_DATA += secret/test_virtsecretd.aug
+CLEANFILES += secret/virtsecretd.aug
+
+virtsecretd_SOURCES = $(REMOTE_DAEMON_SOURCES)
+virtsecretd_CFLAGS = \
+	$(REMOTE_DAEMON_CFLAGS) \
+	-DDAEMON_NAME="\"virtsecretd\"" \
+	-DMODULE_NAME="\"secret\"" \
+	$(NULL)
+virtsecretd_LDFLAGS = $(REMOTE_DAEMON_LD_FLAGS)
+virtsecretd_LDADD = $(REMOTE_DAEMON_LD_ADD)
+
+SYSTEMD_UNIT_FILES += \
+	virtsecretd.service \
+	virtsecretd.socket \
+	virtsecretd-ro.socket \
+	virtsecretd-admin.socket \
+	$(NULL)
+SYSTEMD_UNIT_FILES_IN += \
+	secret/virtsecretd.service.in \
+	$(NULL)
+
+VIRTSECRETD_UNIT_VARS = \
+	$(VIRTD_UNIT_VARS) \
+	-e 's|[@]name[@]|Libvirt secret|g' \
+	-e 's|[@]service[@]|virtsecretd|g' \
+	-e 's|[@]sockprefix[@]|virtsecretd|g' \
+	$(NULL)
+
+virtsecretd.service: secret/virtsecretd.service.in $(top_builddir)/config.status
+	$(AM_V_GEN)$(SED) $(VIRTSECRETD_UNIT_VARS) $< > $@-t && mv $@-t $@
+
+virtsecret%.socket: remote/libvirt%.socket.in $(top_builddir)/config.status
+	$(AM_V_GEN)$(SED) $(VIRTSECRETD_UNIT_VARS) $< > $@-t && mv $@-t $@
+
+secret/virtsecretd.conf: remote/libvirtd.conf.in
+	$(AM_V_GEN)$(SED) \
+		-e '/[@]CUT_ENABLE_IP[@]/,/[@]END[@]/d' \
+		-e 's/[@]DAEMON_NAME[@]/virtsecretd/' \
+		$< > $@
+
+secret/virtsecretd.aug: remote/libvirtd.aug.in
+	$(AM_V_GEN)$(SED) \
+		-e '/[@]CUT_ENABLE_IP[@]/,/[@]END[@]/d' \
+		-e 's/[@]DAEMON_NAME[@]/virtsecretd/' \
+		-e 's/[@]DAEMON_NAME_UC[@]/Virtsecretd/' \
+		$< > $@
+
+secret/test_virtsecretd.aug: remote/test_libvirtd.aug.in \
+		secret/virtsecretd.conf $(AUG_GENTEST)
+	$(AM_V_GEN)$(AUG_GENTEST) secret/virtsecretd.conf \
+		$(srcdir)/remote/test_libvirtd.aug.in | \
+		$(SED) \
+		-e '/[@]CUT_ENABLE_IP[@]/,/[@]END[@]/d' \
+		-e 's/[@]DAEMON_NAME[@]/virtsecretd/' \
+		-e 's/[@]DAEMON_NAME_UC[@]/Virtsecretd/' \
+		> $@ || rm -f $@
+
 endif WITH_SECRETS
diff --git a/src/secret/virtsecretd.service.in b/src/secret/virtsecretd.service.in
new file mode 100644
index 0000000000..00cdc26b97
--- /dev/null
+++ b/src/secret/virtsecretd.service.in
@@ -0,0 +1,24 @@
+[Unit]
+Description=Virtualization secret daemon
+Conflicts=libvirtd.service
+Requires=virtsecretd.socket
+Requires=virtsecretd-ro.socket
+Requires=virtsecretd-admin.socket
+After=network.target
+After=dbus.service
+After=apparmor.service
+After=local-fs.target
+Documentation=man:libvirtd(8)
+Documentation=https://libvirt.org
+
+[Service]
+Type=notify
+ExecStart=@sbindir@/virtsecretd --timeout 120
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+Also=virtsecretd.socket
+Also=virtsecretd-ro.socket
+Also=virtsecretd-admin.socket