diff --git a/etc/keymaster.conf-sample b/etc/keymaster.conf-sample
index c413df7792..85f5e0e926 100644
--- a/etc/keymaster.conf-sample
+++ b/etc/keymaster.conf-sample
@@ -93,6 +93,12 @@
 # domain_id = changeme
 # domain_name = changeme
 
+# If running on a multi-region cluster, Castellan may select the wrong
+# endpoint for Barbican. To avoid this, set this to the URL of the
+# correct barbican endpoint. If there is only a single Barbican service
+# in your deployment, it is fine to leave this unconfigured.
+# barbican_endpoint =
+
 [kmip_keymaster]
 # The kmip_keymaster section is used to configure a keymaster that fetches an
 # encryption root secret from a KMIP service.
diff --git a/swift/common/middleware/crypto/kms_keymaster.py b/swift/common/middleware/crypto/kms_keymaster.py
index f9a542e1a4..408e420f84 100644
--- a/swift/common/middleware/crypto/kms_keymaster.py
+++ b/swift/common/middleware/crypto/kms_keymaster.py
@@ -34,7 +34,7 @@ class KmsKeyMaster(BaseKeyMaster):
                       'domain_id', 'domain_name', 'project_id',
                       'project_domain_id', 'reauthenticate',
                       'auth_endpoint', 'api_class', 'key_id*',
-                      'active_root_secret_id')
+                      'barbican_endpoint', 'active_root_secret_id')
     keymaster_conf_section = 'kms_keymaster'
 
     def _get_root_secret(self, conf):
@@ -67,6 +67,7 @@ class KmsKeyMaster(BaseKeyMaster):
         oslo_conf = cfg.ConfigOpts()
         options.set_defaults(
             oslo_conf, auth_endpoint=conf.get('auth_endpoint'),
+            barbican_endpoint=conf.get('barbican_endpoint'),
             api_class=conf.get('api_class')
         )
         options.enable_logging()