diff --git a/docs/packstack.rst b/docs/packstack.rst
index 08fbea276..f7d9f2277 100755
--- a/docs/packstack.rst
+++ b/docs/packstack.rst
@@ -308,8 +308,8 @@ Keystone Config parameters
 **CONFIG_KEYSTONE_DB_PW**
     Password to use for the Identity service (keystone) to access the database.
 
-**CONFIG_KEYSTONE_DB_PURGE_ENABLE**
-    Enter y if cron job for removing soft deleted DB rows should be created.
+**CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE**
+    Enter y if cron job to rotate Fernet tokens should be created.
 
 **CONFIG_KEYSTONE_REGION**
     Default region name to use when creating tenants in the Identity service.
diff --git a/packstack/plugins/keystone_100.py b/packstack/plugins/keystone_100.py
index 76c7fd609..2f5cf86eb 100644
--- a/packstack/plugins/keystone_100.py
+++ b/packstack/plugins/keystone_100.py
@@ -47,10 +47,10 @@ def initConfig(controller):
              "NEED_CONFIRM": True,
              "CONDITION": False},
 
-            {"CMD_OPTION": 'keystone-db-purge-enable',
+            {"CMD_OPTION": 'keystone-fernet-token-rotate-enable',
              "PROMPT": (
-                 "Enter y if cron job for removing soft deleted DB rows "
-                 "should be created"
+                 "Enter y if cron job to rotate Fernet tokens should be "
+                 "created"
              ),
              "OPTION_LIST": ['y', 'n'],
              "VALIDATORS": [validators.validate_not_empty],
@@ -58,7 +58,7 @@ def initConfig(controller):
              "DEFAULT_VALUE": 'y',
              "MASK_INPUT": False,
              "LOOSE_VALIDATION": False,
-             "CONF_NAME": 'CONFIG_KEYSTONE_DB_PURGE_ENABLE',
+             "CONF_NAME": 'CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE',
              "USE_DEFAULT": False,
              "NEED_CONFIRM": True,
              "CONDITION": False},
diff --git a/packstack/puppet/modules/packstack/manifests/keystone.pp b/packstack/puppet/modules/packstack/manifests/keystone.pp
index 2c561281c..2bb36d3a4 100644
--- a/packstack/puppet/modules/packstack/manifests/keystone.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone.pp
@@ -17,11 +17,9 @@ class packstack::keystone ()
 
     class { '::keystone::client': }
 
-    if hiera('CONFIG_KEYSTONE_DB_PURGE_ENABLE',false) {
-      class { '::keystone::cron::token_flush':
-        minute      => '*/1',
+    if hiera('CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE',false) {
+      class { '::keystone::cron::fernet_rotate':
         require     => Service['crond'],
-        destination => '/dev/null',
       }
       service { 'crond':
         ensure => 'running',
diff --git a/releasenotes/notes/Replace-keystone-token-flush-cron-job-with-fernet-rotation-5b1fccf2bc6add91.yaml b/releasenotes/notes/Replace-keystone-token-flush-cron-job-with-fernet-rotation-5b1fccf2bc6add91.yaml
new file mode 100644
index 000000000..724a3bc58
--- /dev/null
+++ b/releasenotes/notes/Replace-keystone-token-flush-cron-job-with-fernet-rotation-5b1fccf2bc6add91.yaml
@@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    A new CONFIG_KEYSTONE_FERNET_TOKEN_ROTATE_ENABLE option has been added to
+    the answer file. When enabled (default), it will create a cron job to
+    rotate Fernet keys.
+deprecations:
+  - |
+    Since Keystone has deprecated token formats requiring storage in the DB,
+    the CONFIG_KEYSTONE_DB_PURGE_ENABLE option has been removed. Instead, we
+    are implementing a cron job to rotate Fernet keys.
+