diff --git a/ironic/conf/deploy.py b/ironic/conf/deploy.py
index 05bd7f3c7e..20f6aa9baa 100644
--- a/ironic/conf/deploy.py
+++ b/ironic/conf/deploy.py
@@ -27,6 +27,10 @@ opts = [
     cfg.StrOpt('http_root',
                default='/httpboot',
                help=_("ironic-conductor node's HTTP root path.")),
+    cfg.BoolOpt('enable_ata_secure_erase',
+                default=True,
+                help=_('Whether to support the use of ATA Secure Erase '
+                       'during the cleaning process. Defaults to True.')),
     cfg.IntOpt('erase_devices_priority',
                help=_('Priority to run in-band erase devices via the Ironic '
                       'Python Agent ramdisk. If unset, will use the priority '
diff --git a/ironic/drivers/modules/deploy_utils.py b/ironic/drivers/modules/deploy_utils.py
index 85c1f9bef7..a0811d79cd 100644
--- a/ironic/drivers/modules/deploy_utils.py
+++ b/ironic/drivers/modules/deploy_utils.py
@@ -642,6 +642,8 @@ def agent_add_clean_params(task):
     info['agent_erase_devices_zeroize'] = zeroize
     erase_fallback = CONF.deploy.continue_if_disk_secure_erase_fails
     info['agent_continue_if_ata_erase_failed'] = erase_fallback
+    secure_erase = CONF.deploy.enable_ata_secure_erase
+    info['agent_enable_ata_secure_erase'] = secure_erase
 
     task.node.driver_internal_info = info
     task.node.save()
diff --git a/ironic/tests/unit/drivers/modules/test_deploy_utils.py b/ironic/tests/unit/drivers/modules/test_deploy_utils.py
index 62ee119da2..90f4885353 100644
--- a/ironic/tests/unit/drivers/modules/test_deploy_utils.py
+++ b/ironic/tests/unit/drivers/modules/test_deploy_utils.py
@@ -1623,6 +1623,7 @@ class AgentMethodsTestCase(db_base.DbTestCase):
                               'deploy')
         cfg.CONF.set_override('continue_if_disk_secure_erase_fails', True,
                               'deploy')
+        cfg.CONF.set_override('enable_ata_secure_erase', False, 'deploy')
         with task_manager.acquire(
                 self.context, self.node.uuid, shared=False) as task:
             utils.agent_add_clean_params(task)
@@ -1632,6 +1633,8 @@ class AgentMethodsTestCase(db_base.DbTestCase):
                 'agent_erase_devices_zeroize'])
             self.assertIs(True, task.node.driver_internal_info[
                 'agent_continue_if_ata_erase_failed'])
+            self.assertIs(False, task.node.driver_internal_info[
+                'agent_enable_ata_secure_erase'])
 
     @mock.patch.object(pxe.PXEBoot, 'prepare_ramdisk', autospec=True)
     @mock.patch('ironic.conductor.utils.node_power_action', autospec=True)
diff --git a/releasenotes/notes/adds-secure-erase-switch-23f449c86b3648a4.yaml b/releasenotes/notes/adds-secure-erase-switch-23f449c86b3648a4.yaml
new file mode 100644
index 0000000000..5a8428fa17
--- /dev/null
+++ b/releasenotes/notes/adds-secure-erase-switch-23f449c86b3648a4.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Adds the ``[deploy]enable_ata_secure_erase`` option which allows an
+    operator to disable ATA Secure Erase for all nodes being managed by
+    the conductor. This setting defaults to ``True`` which aligns with
+    the prior behavior of the Bare Metal service.