diff --git a/src/include/conffile.h b/src/include/conffile.h
index 024cba406e66..0189979aad88 100644
--- a/src/include/conffile.h
+++ b/src/include/conffile.h
@@ -45,6 +45,7 @@ typedef struct conf_data CONF_DATA;
 #define PW_TYPE_REQUIRED	(1 << 11)	//!< CONF_PAIR is required, server will not start without this
 						//!< config item.
 #define PW_TYPE_ATTRIBUTE	(1 << 12)	//!< CONF_PAIR value must exist in the dictionary as an attribute.
+#define PW_TYPE_SECRET		(1 << 13)	//!< don't print it when debug_flag==2.
 
 typedef struct CONF_PARSER {
   char const *name;
diff --git a/src/main/client.c b/src/main/client.c
index 8738cdd1c6ee..48d2693f3e58 100644
--- a/src/main/client.c
+++ b/src/main/client.c
@@ -523,7 +523,7 @@ static const CONF_PARSER client_config[] = {
 	{ "require_message_authenticator",  PW_TYPE_BOOLEAN,
 	  offsetof(RADCLIENT, message_authenticator), 0, "no" },
 
-	{ "secret",  PW_TYPE_STRING_PTR,
+	{ "secret",  PW_TYPE_STRING_PTR | PW_TYPE_SECRET,
 	  offsetof(RADCLIENT, secret), 0, NULL },
 	{ "shortname",  PW_TYPE_STRING_PTR,
 	  offsetof(RADCLIENT, shortname), 0, NULL },
diff --git a/src/main/conffile.c b/src/main/conffile.c
index f7ceb47c8603..0e813666a788 100644
--- a/src/main/conffile.c
+++ b/src/main/conffile.c
@@ -869,7 +869,7 @@ static char const *parse_spaces = "
 int cf_item_parse(CONF_SECTION *cs, char const *name, int type, void *data, char const *dflt)
 {
 	int rcode;
-	bool deprecated, required, attribute;
+	bool deprecated, required, attribute, secret;
 	char **q;
 	char const *value;
 	fr_ipaddr_t ipaddr;
@@ -881,6 +881,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, int type, void *data, char
 	deprecated = (type & PW_TYPE_DEPRECATED);
 	required = (type & PW_TYPE_REQUIRED);
 	attribute = (type & PW_TYPE_ATTRIBUTE);
+	secret = (type & PW_TYPE_SECRET);
 
 	type &= 0xff;		/* normal types are small */
 	rcode = 0;
@@ -994,8 +995,16 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, int type, void *data, char
 			}
 		}
 
-		cf_log_info(cs, "%.*s\t%s = \"%s\"",
-			    cs->depth, parse_spaces, name, value ? value : "(null)");
+		/*
+		 *	Hide secrets when using "radiusd -X".
+		 */
+		if (secret && (debug_flag <= 2)) {
+			cf_log_info(cs, "%.*s\t%s = <<< secret >>>",
+				    cs->depth, parse_spaces, name);
+		} else {
+			cf_log_info(cs, "%.*s\t%s = \"%s\"",
+				    cs->depth, parse_spaces, name, value ? value : "(null)");
+		}
 		*q = value ? talloc_strdup(cs, value) : NULL;
 		break;
 
diff --git a/src/main/realms.c b/src/main/realms.c
index 7b2b5feb6815..b847ef0fba8a 100644
--- a/src/main/realms.c
+++ b/src/main/realms.c
@@ -338,7 +338,7 @@ static CONF_PARSER home_server_config[] = {
 	  0, &hs_proto, NULL },
 #endif
 
-	{ "secret",  PW_TYPE_STRING_PTR,
+	{ "secret",  PW_TYPE_STRING_PTR | PW_TYPE_SECRET,
 	  offsetof(home_server_t,secret), NULL,  NULL},
 
 	{ "src_ipaddr",  PW_TYPE_STRING_PTR,
diff --git a/src/main/tls.c b/src/main/tls.c
index 3c34d8d42f34..f26bfbf782a4 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -814,12 +814,12 @@ static CONF_PARSER tls_server_config[] = {
 	  offsetof(fr_tls_server_conf_t, ca_file), NULL, NULL },
 	{ "ca_file", PW_TYPE_FILE_INPUT,
 	  offsetof(fr_tls_server_conf_t, ca_file), NULL, NULL },
-	{ "private_key_password", PW_TYPE_STRING_PTR,
+	{ "private_key_password", PW_TYPE_STRING_PTR | PW_TYPE_SECRET,
 	  offsetof(fr_tls_server_conf_t, private_key_password), NULL, NULL },
 #ifdef PSK_MAX_IDENTITY_LEN
 	{ "psk_identity", PW_TYPE_STRING_PTR,
 	  offsetof(fr_tls_server_conf_t, psk_identity), NULL, NULL },
-	{ "psk_hexphrase", PW_TYPE_STRING_PTR,
+	{ "psk_hexphrase", PW_TYPE_STRING_PTR | PW_TYPE_SECRET,
 	  offsetof(fr_tls_server_conf_t, psk_password), NULL, NULL },
 #endif
 	{ "dh_file", PW_TYPE_STRING_PTR,
@@ -883,7 +883,7 @@ static CONF_PARSER tls_client_config[] = {
 	  offsetof(fr_tls_server_conf_t, certificate_file), NULL, NULL },
 	{ "ca_file", PW_TYPE_FILE_INPUT,
 	  offsetof(fr_tls_server_conf_t, ca_file), NULL, NULL },
-	{ "private_key_password", PW_TYPE_STRING_PTR,
+	{ "private_key_password", PW_TYPE_STRING_PTR | PW_TYPE_SECRET,
 	  offsetof(fr_tls_server_conf_t, private_key_password), NULL, NULL },
 	{ "dh_file", PW_TYPE_STRING_PTR,
 	  offsetof(fr_tls_server_conf_t, dh_file), NULL, NULL },
diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index 4d99457ba7f1..2eedac66fdc5 100644
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -207,7 +207,7 @@ static const CONF_PARSER module_config[] = {
 	{"server", PW_TYPE_STRING_PTR | PW_TYPE_REQUIRED, offsetof(ldap_instance_t,server), NULL, "localhost"},
 	{"port", PW_TYPE_INTEGER, offsetof(ldap_instance_t,port), NULL, "389"},
 
-	{"password", PW_TYPE_STRING_PTR, offsetof(ldap_instance_t,password), NULL, ""},
+	{"password", PW_TYPE_STRING_PTR | PW_TYPE_SECRET, offsetof(ldap_instance_t,password), NULL, ""},
 	{"identity", PW_TYPE_STRING_PTR, offsetof(ldap_instance_t,admin_dn), NULL, ""},
 
 	{"valuepair_attribute", PW_TYPE_STRING_PTR, offsetof(ldap_instance_t, valuepair_attr), NULL, NULL},
diff --git a/src/modules/rlm_redis/rlm_redis.c b/src/modules/rlm_redis/rlm_redis.c
index b2e8c79f23d0..932dab1ef5a5 100644
--- a/src/modules/rlm_redis/rlm_redis.c
+++ b/src/modules/rlm_redis/rlm_redis.c
@@ -38,7 +38,7 @@ static const CONF_PARSER module_config[] = {
 	  offsetof(REDIS_INST, port), NULL, "6379"},
 	{ "database", PW_TYPE_INTEGER,
 	  offsetof(REDIS_INST, database), NULL, "0"},
-	{ "password", PW_TYPE_STRING_PTR,
+	{ "password", PW_TYPE_STRING_PTR | PW_TYPE_SECRET,
 	  offsetof(REDIS_INST, password), NULL, NULL},
 
 	{ NULL, -1, 0, NULL, NULL} /* end the list */
diff --git a/src/modules/rlm_rest/rlm_rest.c b/src/modules/rlm_rest/rlm_rest.c
index fb9e184e7d59..690e081f5545 100644
--- a/src/modules/rlm_rest/rlm_rest.c
+++ b/src/modules/rlm_rest/rlm_rest.c
@@ -40,7 +40,7 @@ static CONF_PARSER tls_config[] = {
 	  offsetof(rlm_rest_section_t,tls_certificate_file), NULL, NULL},
 	{ "private_key_file", PW_TYPE_FILE_INPUT,
 	  offsetof(rlm_rest_section_t,tls_private_key_file), NULL, NULL },
-	{ "private_key_password", PW_TYPE_STRING_PTR,
+	{ "private_key_password", PW_TYPE_STRING_PTR | PW_TYPE_SECRET,
 	  offsetof(rlm_rest_section_t, tls_private_key_password), NULL, NULL },
 	{ "random_file", PW_TYPE_STRING_PTR, /* OK if it changes on HUP */
 	  offsetof(rlm_rest_section_t,tls_random_file), NULL, NULL },
diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c
index 1e3e50e06c72..e33819e87309 100644
--- a/src/modules/rlm_sql/rlm_sql.c
+++ b/src/modules/rlm_sql/rlm_sql.c
@@ -54,7 +54,7 @@ static const CONF_PARSER module_config[] = {
 	 offsetof(rlm_sql_config_t,sql_port), NULL, ""},
 	{"login", PW_TYPE_STRING_PTR,
 	 offsetof(rlm_sql_config_t,sql_login), NULL, ""},
-	{"password", PW_TYPE_STRING_PTR,
+	{"password", PW_TYPE_STRING_PTR | PW_TYPE_SECRET,
 	 offsetof(rlm_sql_config_t,sql_password), NULL, ""},
 	{"radius_db", PW_TYPE_STRING_PTR,
 	 offsetof(rlm_sql_config_t,sql_db), NULL, "radius"},