diff --git a/apis/config/config_types.go b/apis/config/config_types.go
index 2c397668..716ec51f 100644
--- a/apis/config/config_types.go
+++ b/apis/config/config_types.go
@@ -17,6 +17,7 @@ limitations under the License.
 package config
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
@@ -36,8 +37,19 @@ type ConfigSpec struct {
 type ConfigBlob struct {
 	// Path defines the path relative to which the value is applicable
 	Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=config"`
+	// Value defines the value used within the path, which is the YANG data
+	// for the particular path
 	//+kubebuilder:pruning:PreserveUnknownFields
 	Value runtime.RawExtension `json:"value" protobuf:"bytes,2,opt,name=value"`
+	// SensitivePaths define the paths for which sensitive value, like passwords, keys are referenced
+	SensitivePaths []*ConfigBlobSensitiveData `json:"sensitivePaths" protobuf:"bytes,3,opt,name=sensitivePaths"`
+}
+
+type ConfigBlobSensitiveData struct {
+	// Path defines the path to the sensitive data leaf
+	Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=config"`
+	// Selects a key of a secret in the pod's namespace
+	SecretKeyRef corev1.SecretKeySelector `json:"secretKeyRef" protobuf:"bytes,2,opt,name=secretKeyRef"`
 }
 
 // ConfigStatus defines the observed state of Config
diff --git a/apis/inv/v1alpha1/schema_types.go b/apis/inv/v1alpha1/schema_types.go
index e3228e5f..08ca414e 100644
--- a/apis/inv/v1alpha1/schema_types.go
+++ b/apis/inv/v1alpha1/schema_types.go
@@ -57,10 +57,11 @@ type SchemaSpec struct {
 	// Dirs defines the list of directories that identified the provider schema in src/dst pairs
 	// relative within the repository
 	Dirs []SrcDstPath `json:"dirs,omitempty" yaml:"dirs,omitempty"`
-
 	// Schema provides the details of which files must be used for the models and which files/directories
-	// cana be excludes
+	// can be excludes
 	Schema SchemaSpecSchema `json:"schema" yaml:"schema"`
+	// SensitivePaths defines the paths in the schema that have sensitive data
+	SensitivePaths []string `json:"sensitivePaths,omitempty" yaml:"schema,omitempty"`
 }
 
 // SrcDstPath provide a src/dst pair for the loader to download the schema from a specific src