diff --git a/include/UserPool.h b/include/UserPool.h
index 1e19cee125..c883fe63f2 100644
--- a/include/UserPool.h
+++ b/include/UserPool.h
@@ -40,7 +40,8 @@ class UserPool : public PoolSQL
 public:
 
     UserPool(SqlDB * db, time_t  __session_expiration_time, bool is_slave,
-        std::vector<const SingleAttribute *>& restricted_attrs);
+        std::vector<const SingleAttribute *>& restricted_attrs,
+        std::vector<const SingleAttribute *>& encrypted_attrs);
 
     ~UserPool() = default;
 
diff --git a/include/UserTemplate.h b/include/UserTemplate.h
index 6d5274ee3e..06b5c6c9a1 100644
--- a/include/UserTemplate.h
+++ b/include/UserTemplate.h
@@ -47,11 +47,34 @@ public:
         Template::parse_restricted(ra, restricted);
     }
 
+    // -------------------------------------------------------------------------
+    // Encrypted attributes interface implementation
+    // -------------------------------------------------------------------------
+    virtual void encrypt(const std::string& one_key)
+    {
+        Template::encrypt(one_key, encrypted);
+    }
+
+    virtual void decrypt(const std::string& one_key)
+    {
+        Template::decrypt(one_key, encrypted);
+    }
+
+    static void parse_encrypted(std::vector<const SingleAttribute *>& ea)
+    {
+        Template::parse_encrypted(ea, encrypted);
+    }
+
 private:
     /**
      *  Restricted attribute list for UserTemplate
      */
     static std::map<std::string, std::set<std::string>> restricted;
+
+    /**
+     *  Encrypted attribute list for ImageTemplates
+     */
+    static std::map<std::string, std::set<std::string> > encrypted;
 };
 
 /* -------------------------------------------------------------------------- */
diff --git a/src/cli/oneuser b/src/cli/oneuser
index 06c096d107..180271264a 100755
--- a/src/cli/oneuser
+++ b/src/cli/oneuser
@@ -573,7 +573,7 @@ CommandParser::CmdParser.new(ARGV) do
     EOT
 
     command :show, show_desc, [:userid, nil],
-            :options => OpenNebulaHelper::FORMAT do
+            :options => [OpenNebulaHelper::FORMAT, OpenNebulaHelper::DECRYPT] do
         user = args[0] || OpenNebula::User::SELF
         helper.show_resource(user, options)
     end
diff --git a/src/nebula/Nebula.cc b/src/nebula/Nebula.cc
index 5702dbb25f..7b1196d57c 100644
--- a/src/nebula/Nebula.cc
+++ b/src/nebula/Nebula.cc
@@ -734,6 +734,7 @@ void Nebula::start(bool bootstrap_only)
         /* ----------------------- Group/User Pool -------------------------- */
         vector<const SingleAttribute *> user_restricted;
         vector<const SingleAttribute *> group_restricted;
+        vector<const SingleAttribute *> user_encrypted;
 
         time_t  expiration_time;
 
@@ -743,9 +744,10 @@ void Nebula::start(bool bootstrap_only)
 
         nebula_configuration->get("SESSION_EXPIRATION_TIME", expiration_time);
         nebula_configuration->get("USER_RESTRICTED_ATTR", user_restricted);
+        nebula_configuration->get("USER_ENCRYPTED_ATTR", user_encrypted);
 
         upool = new UserPool(db_ptr, expiration_time, is_federation_slave(),
-                user_restricted);
+                user_restricted, user_encrypted);
 
         /* -------------------- Image/Datastore Pool ------------------------ */
         string  image_type;
diff --git a/src/oca/ruby/opennebula/user.rb b/src/oca/ruby/opennebula/user.rb
index 10171a7d08..6ec4e75e16 100644
--- a/src/oca/ruby/opennebula/user.rb
+++ b/src/oca/ruby/opennebula/user.rb
@@ -89,8 +89,8 @@ module OpenNebula
         #######################################################################
 
         # Retrieves the information of the given User.
-        def info()
-            super(USER_METHODS[:info], 'USER')
+        def info(decrypt = false)
+            super(USER_METHODS[:info], 'USER', decrypt)
         end
 
         alias_method :info!, :info
diff --git a/src/um/UserPool.cc b/src/um/UserPool.cc
index f3b75c45c5..b1cb70ec0f 100644
--- a/src/um/UserPool.cc
+++ b/src/um/UserPool.cc
@@ -54,7 +54,8 @@ string UserPool::oneadmin_name;
 /* -------------------------------------------------------------------------- */
 
 UserPool::UserPool(SqlDB * db, time_t __session_expiration_time, bool is_slave,
-        vector<const SingleAttribute *>& restricted_attrs)
+        vector<const SingleAttribute *>& restricted_attrs,
+        vector<const SingleAttribute *>& encrypted_attrs)
     : PoolSQL(db, one_db::user_table)
 {
     int one_uid    = -1;
@@ -81,6 +82,8 @@ UserPool::UserPool(SqlDB * db, time_t __session_expiration_time, bool is_slave,
     // Set restricted attributes
     UserTemplate::parse_restricted(restricted_attrs);
 
+    UserTemplate::parse_encrypted(encrypted_attrs);
+
     auto oneadmin_user = get_ro(0);
 
     //Slaves do not need to init the pool, just the oneadmin username
diff --git a/src/um/UserTemplate.cc b/src/um/UserTemplate.cc
index a4c140debb..b16f204378 100644
--- a/src/um/UserTemplate.cc
+++ b/src/um/UserTemplate.cc
@@ -20,3 +20,5 @@
 /* -------------------------------------------------------------------------- */
 
 std::map<std::string, std::set<std::string>> UserTemplate::restricted;
+
+std::map<std::string, std::set<std::string> > UserTemplate::encrypted;