diff --git a/README.md b/README.md
index 339ff88..fd2859c 100644
--- a/README.md
+++ b/README.md
@@ -59,6 +59,22 @@ When enabled, the secret registration server:
 
 Clients can then fetch the key from Trustee CDH using attestation.
 
+## Variables
+
+### trustee_server_secure_logging
+
+If `true`, suppress potentially sensitive output from tasks that handle
+credentials, secrets, and other sensitive data by setting `no_log: true` on
+those tasks. This prevents passwords, API tokens, private keys, and similar
+sensitive information from appearing in Ansible logs and console output.
+
+If you need to debug issues with credential handling or secret management, you
+can temporarily set `trustee_server_secure_logging: false` to see the full output from
+these tasks. However, be aware that this may expose sensitive information in
+logs, so it should only be used in development or troubleshooting scenarios.
+
+Default: `true`
+
 ## License
 
 MIT
diff --git a/defaults/main.yml b/defaults/main.yml
index b755ab5..f435e0a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -7,3 +7,4 @@ trustee_server_trustee: true
 # Secret registration server service configuration
 trustee_server_secret_registration_enabled: false
 trustee_server_secret_registration_listen_port: 8081
+trustee_server_secure_logging: true
diff --git a/tasks/secret_registration_server.yml b/tasks/secret_registration_server.yml
index caffa90..18237fb 100644
--- a/tasks/secret_registration_server.yml
+++ b/tasks/secret_registration_server.yml
@@ -29,6 +29,7 @@
 
 - name: Gather service facts for firewall check
   ansible.builtin.service_facts:
+  no_log: "{{ ansible_verbosity < 2 }}"
 
 - name: Allow secret registration server port in firewall
   ansible.posix.firewalld:
diff --git a/tasks/trustee_quadlet.yml b/tasks/trustee_quadlet.yml
index c184d49..56b48c5 100644
--- a/tasks/trustee_quadlet.yml
+++ b/tasks/trustee_quadlet.yml
@@ -60,10 +60,11 @@
       cp {{ __trustee_server_config_dir }}/as/token.crt {{ __trustee_server_config_dir }}/kbs/trusted_certs/token0.crt
     fi
   changed_when: true
-  no_log: true
+  no_log: "{{ trustee_server_secure_logging }}"
 
 - name: Gather service facts
   ansible.builtin.service_facts:
+  no_log: "{{ ansible_verbosity < 2 }}"
 
 - name: Allow port 8080 in firewall
   ansible.posix.firewalld: