diff --git a/documentation/resource_certificate.md b/documentation/resource_certificate.md
index 0f3fd84..96a070e 100644
--- a/documentation/resource_certificate.md
+++ b/documentation/resource_certificate.md
@@ -17,6 +17,7 @@ certificate 'cert name' do
   cert_passwd                   String # password for PFX format certificate file
   keychain                      String # keychain to install certificate to
   apps                          Array  # list of apps that may access the imported key
+  sensitive                     Boolean # run execute resource with sensitive
 end
 ```
 
diff --git a/documentation/resource_keychain.md b/documentation/resource_keychain.md
index c38b5ce..e66e186 100644
--- a/documentation/resource_keychain.md
+++ b/documentation/resource_keychain.md
@@ -13,8 +13,9 @@ is:
 
 ```ruby
 keychain 'keychain name' do
-  keychain                      String # path to selected keychain
+  kc_file                       String # path to selected keychain
   kc_passwd                     String # password for selected keychain
+  sensitive                     Boolean # run execute resource with sensitive
 end
 ```
 
@@ -24,23 +25,23 @@ Actions
 `:create`
 
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Create a keychain as specified by
-the `keychain` property. This is the default action.
+the `kc_file` property. This is the default action.
 
 `:delete`
 
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Delete a keychain as specified by
-the `keychain` property.
+the `kc_file` property.
 
 `:lock`
 
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Lock a keychain as specified by
-the `keychain` property. If no keychain is specified, the default keychain
+the `kc_file` property. If no keychain is specified, the default keychain
 will be locked instead.
 
 `:unlock`
 
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Using the `kc_passwd` property, unlock a
-keychain as specified by the `keychain` property. If no keychain is specified,
+keychain as specified by the `kc_file` property. If no keychain is specified,
 the default keychain will be unlocked instead.
 
 
@@ -52,7 +53,7 @@ Examples
 
 ```ruby
 keychain 'test' do
-  keychain '/User/edward/Library/Keychains/test.keychain'
+  kc_file '/User/edward/Library/Keychains/test.keychain'
   kc_passwd 'test'
   action :create
 end
@@ -62,7 +63,7 @@ end
 
 ```ruby
 keychain 'test' do
-  keychain '/User/edward/Library/Keychains/test.keychain'
+  kc_file '/User/edward/Library/Keychains/test.keychain'
   action :delete
 end
 ```
@@ -71,7 +72,7 @@ end
 
 ```ruby
 keychain 'login' do
-  keychain '/User/edward/Library/Keychains/login.keychain'
+  kc_file '/User/edward/Library/Keychains/login.keychain'
   kc_passwd 'login_password'
   action :create
 end
@@ -81,7 +82,7 @@ end
 
 ```ruby
 keychain 'test' do
-  keychain '/User/edward/Library/Keychains/test.keychain'
+  kc_file '/User/edward/Library/Keychains/test.keychain'
   action :lock
 end
 ```
@@ -90,7 +91,7 @@ end
 
 ```ruby
 keychain 'test' do
-  keychain '/User/edward/Library/Keychains/test.keychain'
+  kc_file '/User/edward/Library/Keychains/test.keychain'
   kc_passwd 'test'
   action :unlock
 end
diff --git a/resources/certificate.rb b/resources/certificate.rb
index d52c6d8..52715d3 100644
--- a/resources/certificate.rb
+++ b/resources/certificate.rb
@@ -3,9 +3,10 @@ unified_mode true
 provides :certificate
 
 property :certfile, String
-property :cert_password, String
+property :cert_password, String, sensitive: true
 property :keychain, String
 property :apps, Array
+property :sensitive, [true, false], default: false
 
 action_class do
   def keychain
@@ -18,9 +19,11 @@ action :install do
 
   execute 'unlock keychain' do
     command Array(cert.unlock_keychain(node['macos']['admin_password']))
+    sensitive new_resource.sensitive
   end
 
   execute 'install-certificate' do
     command Array(cert.install_certificate(new_resource.cert_password, new_resource.apps))
+    sensitive new_resource.sensitive
   end
 end
diff --git a/resources/keychain.rb b/resources/keychain.rb
index d0a5c70..05b3378 100644
--- a/resources/keychain.rb
+++ b/resources/keychain.rb
@@ -4,7 +4,8 @@ provides :keychain
 default_action :create
 
 property :kc_file, String
-property :kc_passwd, String
+property :kc_passwd, String, sensitive: true
+property :sensitive, [true, false], default: false
 
 action_class do
   def keychain
@@ -17,6 +18,7 @@ action :create do
 
   execute 'create a keychain' do
     command Array(keyc.create_keychain(new_resource.kc_passwd))
+    sensitive new_resource.sensitive
     not_if { ::File.exist? keychain + '-db' }
   end
 end
@@ -25,6 +27,7 @@ action :delete do
   keyc = SecurityCommand.new('', keychain)
   execute 'delete selected keychain' do
     command Array(keyc.delete_keychain)
+    sensitive new_resource.sensitive
     only_if { ::File.exist?(keychain) }
   end
 end
@@ -33,6 +36,7 @@ action :lock do
   keyc = SecurityCommand.new('', keychain)
   execute 'lock selected keychain' do
     command Array(keyc.lock_keychain)
+    sensitive new_resource.sensitive
     only_if { ::File.exist?(keychain) }
   end
 end
@@ -40,6 +44,7 @@ end
 action :unlock do
   keyc = SecurityCommand.new('', keychain) do
     command Array(keyc.unlock_keychain(new_resource.kc_passwd))
+    sensitive new_resource.sensitive
     only_if { ::File.exist?(keychain) }
   end
 end