diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 7984fb4fa0..ef60395b26 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -266,7 +266,8 @@ elasticsearch_port: "9200"
 
 etcd_client_port: "2379"
 etcd_peer_port: "2380"
-etcd_protocol: "http"
+etcd_enable_tls: "{{ kolla_enable_tls_backend }}"
+etcd_protocol: "{{ 'https' if etcd_enable_tls | bool else 'http' }}"
 
 fluentd_syslog_port: "5140"
 
diff --git a/ansible/roles/etcd/defaults/main.yml b/ansible/roles/etcd/defaults/main.yml
index 0b85fb90e5..9dc0f9af2d 100644
--- a/ansible/roles/etcd/defaults/main.yml
+++ b/ansible/roles/etcd/defaults/main.yml
@@ -18,6 +18,10 @@ etcd_services:
       ETCD_INITIAL_CLUSTER_STATE: "new"
       ETCD_OUT_FILE: "/var/log/kolla/etcd/etcd.log"
       KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
+      ETCD_CERT_FILE: "{% if etcd_enable_tls | bool  %}/etc/etcd/certs/etcd-cert.pem{% endif %}"
+      ETCD_KEY_FILE: "{% if etcd_enable_tls | bool  %}/etc/etcd/certs/etcd-key.pem{% endif %}"
+      ETCD_PEER_CERT_FILE: "{% if etcd_enable_tls | bool  %}/etc/etcd/certs/etcd-cert.pem{% endif %}"
+      ETCD_PEER_KEY_FILE: "{% if etcd_enable_tls | bool  %}/etc/etcd/certs/etcd-key.pem{% endif %}"
     image: "{{ etcd_image_full }}"
     volumes: "{{ etcd_default_volumes + etcd_extra_volumes }}"
     dimensions: "{{ etcd_dimensions }}"
diff --git a/ansible/roles/etcd/tasks/config.yml b/ansible/roles/etcd/tasks/config.yml
index c07a2f8a8f..635cb2725a 100644
--- a/ansible/roles/etcd/tasks/config.yml
+++ b/ansible/roles/etcd/tasks/config.yml
@@ -25,5 +25,9 @@
   notify:
     - Restart {{ item.key }} container
 
+- include_tasks: copy-certs.yml
+  when:
+    - etcd_enable_tls | bool
+
 - include_tasks: check-containers.yml
   when: kolla_action != "config"
diff --git a/ansible/roles/etcd/tasks/copy-certs.yml b/ansible/roles/etcd/tasks/copy-certs.yml
new file mode 100644
index 0000000000..7601236f55
--- /dev/null
+++ b/ansible/roles/etcd/tasks/copy-certs.yml
@@ -0,0 +1,50 @@
+---
+- name: "{{ project_name }} | Copying over extra CA certificates"
+  become: true
+  copy:
+    src: "{{ kolla_certificates_dir }}/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}"
+  notify:
+    - "Restart {{ item.key }} container"
+
+- name: "{{ project_name }} | Copying over etcd TLS certificate"
+  vars:
+    certs:
+      - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-cert.pem"
+      - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-cert.pem"
+      - "{{ kolla_certificates_dir }}/{{ project_name }}-cert.pem"
+      - "{{ kolla_tls_backend_cert }}"
+    backend_tls_cert: "{{ lookup('first_found', certs) }}"
+  copy:
+    src: "{{ backend_tls_cert }}"
+    dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-cert.pem"
+    mode: "0644"
+  become: true
+  with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}"
+  notify:
+    - "Restart {{ item.key }} container"
+  when:
+    - etcd_enable_tls | bool
+
+- name: "{{ project_name }} | Copying over etcd TLS key"
+  vars:
+    keys:
+      - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-key.pem"
+      - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-key.pem"
+      - "{{ kolla_certificates_dir }}/{{ project_name }}-key.pem"
+      - "{{ kolla_tls_backend_key }}"
+    backend_tls_key: "{{ lookup('first_found', keys) }}"
+  copy:
+    src: "{{ backend_tls_key }}"
+    dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-key.pem"
+    mode: "0600"
+  become: true
+  with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}"
+  notify:
+    - "Restart {{ item.key }} container"
+  when:
+    - etcd_enable_tls | bool
diff --git a/ansible/roles/etcd/templates/etcd.json.j2 b/ansible/roles/etcd/templates/etcd.json.j2
index 3ea11fd909..dfd66d2e19 100644
--- a/ansible/roles/etcd/templates/etcd.json.j2
+++ b/ansible/roles/etcd/templates/etcd.json.j2
@@ -1,3 +1,18 @@
 {
-    "command": "etcd"
+    "command": "etcd",
+    "config_files": [
+        {% if etcd_enable_tls | bool %}
+        {
+            "source": "{{ container_config_directory }}/etcd-cert.pem",
+            "dest": "/etc/etcd/certs/etcd-cert.pem",
+            "owner": "etcd",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/etcd-key.pem",
+            "dest": "/etc/etcd/certs/etcd-key.pem",
+            "owner": "etcd",
+            "perm": "0600"
+        }{% endif %}
+    ]
 }
diff --git a/releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml b/releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml
new file mode 100644
index 0000000000..3addf1f1cb
--- /dev/null
+++ b/releasenotes/notes/add-tls-etcd-cd2bd09cd69053be.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Add "etcd_enable_tls" configuration parameter which can be used to enable
+    TLS encryption for the etcd service. The default value of
+    "etcd_enable_tls" is set by the value of "kolla_enable_tls_backend".