diff --git a/cinder/service.py b/cinder/service.py
index f47ee6111bd..66c015e2125 100644
--- a/cinder/service.py
+++ b/cinder/service.py
@@ -73,7 +73,9 @@ profiler_opts = [
     cfg.BoolOpt("profiler_enabled", default=False,
                 help=_('If False fully disable profiling feature.')),
     cfg.BoolOpt("trace_sqlalchemy", default=False,
-                help=_("If False doesn't trace SQL requests."))
+                help=_("If False doesn't trace SQL requests.")),
+    cfg.StrOpt("hmac_keys", default="SECRET_KEY",
+               help=_("Secret key to use to sign tracing messages."))
 ]
 
 CONF = cfg.CONF
@@ -87,16 +89,17 @@ def setup_profiler(binary, host):
             "Messaging", messaging, context.get_admin_context().to_dict(),
             rpc.TRANSPORT, "cinder", binary, host)
         osprofiler.notifier.set(_notifier)
+        osprofiler.web.enable(CONF.profiler.hmac_keys)
         LOG.warning(
             _LW("OSProfiler is enabled.\nIt means that person who knows "
                 "any of hmac_keys that are specified in "
-                "/etc/cinder/api-paste.ini can trace his requests. \n"
+                "/etc/cinder/cinder.conf can trace his requests. \n"
                 "In real life only operator can read this file so there "
                 "is no security issue. Note that even if person can "
                 "trigger profiler, only admin user can retrieve trace "
                 "information.\n"
                 "To disable OSprofiler set in cinder.conf:\n"
-                "[profiler]\nenabled=false"))
+                "[profiler]\nprofiler_enabled=false"))
     else:
         osprofiler.web.disable()
 
diff --git a/etc/cinder/api-paste.ini b/etc/cinder/api-paste.ini
index 73c6ad1ea33..b0f7b367b09 100644
--- a/etc/cinder/api-paste.ini
+++ b/etc/cinder/api-paste.ini
@@ -32,8 +32,6 @@ paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
 
 [filter:osprofiler]
 paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
-hmac_keys = SECRET_KEY
-enabled = yes
 
 [filter:noauth]
 paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory