diff --git a/global/pre-tasks.d/040hiera-eyaml b/global/pre-tasks.d/040hiera-eyaml
new file mode 100755
index 0000000..1f2758d
--- /dev/null
+++ b/global/pre-tasks.d/040hiera-eyaml
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# Set up eyaml for Hiera
+#
+
+set -e
+
+EYAMLDIR=/etc/hiera/eyaml
+
+vendor=$(lsb_release -is)
+version=$(lsb_release -rs)
+# eyaml is only used on Ubuntu 20.04 and newer, and Debian 11 and newer (earlier OSes use hiera-gpg instead)
+test "${vendor}" = "Ubuntu" && dpkg --compare-versions "${version}" "lt" "18.04" && exit 0
+test "${vendor}" = "Debian" && dpkg --compare-versions "${version}" "lt" "10" && exit 0
+
+stamp="$COSMOS_BASE/stamps/hiera-eyaml-v01.stamp"
+
+test -f "$stamp" && exit 0
+
+if [ ! -f /usr/bin/eyaml ] || [ ! -d /usr/share/doc/yaml-mode ]; then
+    apt-get update
+    apt-get -y install hiera-eyaml yaml-mode
+fi
+
+if [ ! -f ${EYAMLDIR}/public_certkey.pkcs7.pem ] || [ ! -f ${EYAMLDIR}/private_key.pkcs7.pem ]; then
+    # hiera-eyaml wants a certificate and public key, not just a public key oddly enough
+    echo "$0: Generating eyaml key in ${EYAMLDIR} - this might take a while..."
+    mkdir -p /etc/hiera/eyaml
+    openssl req -x509 -newkey rsa:4096 -keyout ${EYAMLDIR}/private_key.pkcs7.pem \
+	    -out ${EYAMLDIR}/public_certkey.pkcs7.pem -days 3653 -nodes -sha256 \
+	    -subj "/C=SE/O=SUNET/OU=EYAML/CN=$(hostname)"
+    rm -f ${EYAMLDIR}/public_key.pkcs7.pem  # cleanup
+fi
+
+mkdir -p "$(dirname "${stamp}")"
+touch "$stamp"
diff --git a/global/pre-tasks.d/040hiera-gpg b/global/pre-tasks.d/040hiera-gpg
index 3aa3037..bc1da35 100755
--- a/global/pre-tasks.d/040hiera-gpg
+++ b/global/pre-tasks.d/040hiera-gpg
@@ -9,12 +9,21 @@ set -e
 GNUPGHOME=/etc/hiera/gpg
 export GNUPGHOME
 
+vendor=$(lsb_release -is)
+version=$(lsb_release -rs)
+# If the OS is Ubuntu 18.04 or newer, or Debian 10 or newer, we don't need to do anything (those use eyaml instead)
+test "${vendor}" = "Ubuntu" && dpkg --compare-versions "${version}" "ge" "18.04" && exit 0
+test "${vendor}" = "Debian" && dpkg --compare-versions "${version}" "ge" "10" && exit 0
+
+stamp="$COSMOS_BASE/stamps/hiera-gpg-v01.stamp"
+
+test -f "$stamp" && exit 0
+
 if [ ! -f /usr/lib/ruby/vendor_ruby/gpgme.rb ]; then
     apt-get update
     apt-get -y install ruby-gpgme
 fi
 
-
 if [ ! -s $GNUPGHOME/secring.gpg ]; then
 
     if [ "x$1" != "x--force" ]; then
@@ -35,19 +44,21 @@ if [ ! -s $GNUPGHOME/secring.gpg ]; then
     chmod 700 $GNUPGHOME
 
     TMPFILE=$(mktemp /tmp/hiera-gpg.XXXXXX)
-    cat > $TMPFILE <<EOF
+    cat > "$TMPFILE" <<EOF
 %echo Generating a default key
 Key-Type: default
 Subkey-Type: default
 Name-Real: Cosmos Puppet
 Name-Comment: Hiera GPG key
-Name-Email: root@`hostname --fqdn`
+Name-Email: root@$(hostname --fqdn)
 Expire-Date: 0
 # Do a commit here, so that we can later print "done" :-)
-%no-protection
 %commit
 %echo done
 EOF
-    gpg2 --batch --gen-key $TMPFILE
-    rm -f $TMPFILE
+    gpg2 --batch --gen-key "$TMPFILE"
+    rm -f "$TMPFILE"
 fi
+
+mkdir -p "$(dirname "${stamp}")"
+touch "$stamp"