diff --git a/components/keystone/values.yaml b/components/keystone/values.yaml
index 9fbbaf46c..9c28a2383 100644
--- a/components/keystone/values.yaml
+++ b/components/keystone/values.yaml
@@ -228,10 +228,18 @@ pod:
           - name: keystone-sso
             mountPath: /etc/keystone-sso
             readOnly: true
+          - name: oidc-secret
+            mountPath: /etc/oidc-secret
+            readOnly: true
         volumes:
           - name: keystone-sso
             secret:
               secretName: keystone-sso
+          - name: oidc-secret
+            secret:
+              secretName: sso-passphrase
+  replicas:
+    api: 2
   lifecycle:
     disruption_budget:
       api:
@@ -287,7 +295,9 @@ conf:
         OIDCProviderMetadataURL http://dex.dex.svc:5556/.well-known/openid-configuration
         OIDCClientID keystone
         OIDCClientSecret "exec:/bin/cat /etc/keystone-sso/client-secret"
-        OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
+        OIDCCryptoPassphrase "exec:/bin/cat /etc/oidc-secret/password"
+        OIDCCacheType memcache
+        OIDCMemCacheServers "memcached.openstack.svc.cluster.local:11211"
         OIDCClaimDelimiter ;
 
         # avoid redirect issues per the following
diff --git a/scripts/gitops-secrets-gen.sh b/scripts/gitops-secrets-gen.sh
index 9902ff6c3..4ac6ed905 100755
--- a/scripts/gitops-secrets-gen.sh
+++ b/scripts/gitops-secrets-gen.sh
@@ -265,6 +265,8 @@ convert_to_secret_name() {
 load_or_gen_os_secret() {
     local data_var=$1
     local secret_var=$2
+    local charset=$3  # Optional third argument for custom charset
+    local charset_length=${4:-32}  # Optional fourth argument, Default to 32 if not provided
 
     if kubectl -n openstack get secret "${secret_var}" &>/dev/null; then
         data="$(kubectl -n openstack get secret "${secret_var}" -o jsonpath='{.data.password}' | base64 -d)"
@@ -274,7 +276,13 @@ load_or_gen_os_secret() {
         return 1
     else
         echo "Generating ${secret_var}"
-        data="$("${SCRIPTS_DIR}/pwgen.sh" 2>/dev/null)"
+
+        if [[ -n "$charset" ]]; then
+            data="$("${SCRIPTS_DIR}/pwgen.sh" "$charset_length" "$charset" 2>/dev/null)"
+        else
+            data="$("${SCRIPTS_DIR}/pwgen.sh" "$charset_length" 2>/dev/null)"
+        fi
+
         # good ol' bash 3 compat for macOS
         eval "${data_var}=\"${data}\""
         # return 0 because we need to write this out
@@ -367,4 +375,18 @@ find "${DEST_DIR}" -maxdepth 1 -mindepth 1 -type d | while read -r component; do
     fi
 done
 
+echo "Checking keystone oidc passphrase Sealed Secret"
+mkdir -p "${DEST_DIR}/keystone"
+
+# Generate or retrieve passphrase
+VARNAME_PASSPHRASE="OS_SSO_PASSPHRASE"
+SECRET_PASSPHRASE="sso-passphrase"
+
+load_or_gen_os_secret "${VARNAME_PASSPHRASE}" "${SECRET_PASSPHRASE}" "A-Za-z" && \
+    create_os_secret "PASSPHRASE" "keystone" "passphrase"
+
+# Export for Helm templating if needed
+export OS_SSO_PASSPHRASE
+
+
 exit 0
diff --git a/scripts/pwgen.sh b/scripts/pwgen.sh
index 572ca5f2f..26e2f33c6 100755
--- a/scripts/pwgen.sh
+++ b/scripts/pwgen.sh
@@ -1,5 +1,12 @@
 #!/bin/sh -e
 
 export LC_ALL=C
-dd bs=512 if=/dev/urandom count=1 | tr -dc _A-Z-a-z-0-9 | head -c${1:-32}
+
+# Default password length (32 characters)
+LENGTH="${1:-32}"
+
+# Default character set (alphanumeric + special characters)
+CHARSET="${2:-_A-Z-a-z-0-9}"
+
+dd bs=512 if=/dev/urandom count=1 2>/dev/null | tr -dc "$CHARSET" | head -c"$LENGTH"
 echo