diff --git a/scripts/hostcfgd b/scripts/hostcfgd
index c4239199..9646249f 100644
--- a/scripts/hostcfgd
+++ b/scripts/hostcfgd
@@ -17,6 +17,7 @@ from sonic_py_common.general import check_output_pipe
 from swsscommon.swsscommon import ConfigDBConnector, DBConnector, Table
 from swsscommon import swsscommon
 from sonic_installer import bootloader
+from sonic_py_common.security_cipher import master_key_mgr 
 
 # FILE
 PAM_AUTH_CONF = "/etc/pam.d/common-auth-sonic"
@@ -75,7 +76,6 @@ DEFAULT_FIPS_RESTART_SERVICES = ['ssh', 'telemetry.service', 'restapi']
 CFG_DB = "CONFIG_DB"
 STATE_DB = "STATE_DB"
 
-
 def signal_handler(sig, frame):
     if sig == signal.SIGHUP:
         syslog.syslog(syslog.LOG_INFO, "HostCfgd: signal 'SIGHUP' is caught and ignoring..")
@@ -500,6 +500,17 @@ class AaaCfg(object):
                 server = tacplus_global.copy()
                 server['ip'] = addr
                 server.update(self.tacplus_servers[addr])
+                if 'key_encrypt' in server:
+                    secure_cipher = master_key_mgr()
+                    if server['key_encrypt'] == 'True':
+                        output, errs = secure_cipher.decrypt_passkey("TACPLUS", server['passkey'])
+                        if not errs:
+                           server['passkey'] = output
+                        else:
+                            syslog.syslog(syslog.LOG_ERR, "{}: decrypt_passkey failed.".format(addr))
+                    else:
+                        # Delete the cipher_pass file if exist
+                        secure_cipher.del_cipher_pass()
                 servers_conf.append(server)
             servers_conf = sorted(servers_conf, key=lambda t: int(t['priority']), reverse=True)