diff --git a/barbican/plugin/crypto/p11_crypto.py b/barbican/plugin/crypto/p11_crypto.py
index bdcaa00b..a71eb655 100644
--- a/barbican/plugin/crypto/p11_crypto.py
+++ b/barbican/plugin/crypto/p11_crypto.py
@@ -73,6 +73,9 @@ p11_crypto_plugin_opts = [
     cfg.StrOpt('encryption_mechanism',
                help=u._('Secret encryption mechanism'),
                default='CKM_AES_CBC', deprecated_name='algorithm'),
+    cfg.StrOpt('mkek_key_type',
+               help=u._('MKEK Key Type'),
+               default='CKK_AES'),
     cfg.StrOpt('hmac_key_type',
                help=u._('HMAC Key Type'),
                default='CKK_AES'),
@@ -152,7 +155,7 @@ class P11CryptoPlugin(plugin.CryptoPluginBase):
         self.cka_sensitive = plugin_conf.always_set_cka_sensitive
         self.cka_token = plugin_conf.always_set_cka_token
         self.generate_keylabels = plugin_conf.always_set_cka_label
-        self.mkek_key_type = 'CKK_AES'
+        self.mkek_key_type = plugin_conf.mkek_key_type
         self.mkek_length = plugin_conf.mkek_length
         self.mkek_label = plugin_conf.mkek_label
         self.hmac_label = plugin_conf.hmac_label
diff --git a/barbican/plugin/crypto/pkcs11.py b/barbican/plugin/crypto/pkcs11.py
index a2b81cc1..00ba8cef 100644
--- a/barbican/plugin/crypto/pkcs11.py
+++ b/barbican/plugin/crypto/pkcs11.py
@@ -46,11 +46,13 @@ CKO_SECRET_KEY = 4
 CKK_AES = 0x1f
 CKK_GENERIC_SECRET = 0x10
 CKK_SHA256_HMAC = 0x0000002B
+VENDOR_YUBICO_CKK_AES256_CCM_WRAP = 0xD955422A
 
 _KEY_TYPES = {
     'CKK_AES': CKK_AES,
     'CKK_GENERIC_SECRET': CKK_GENERIC_SECRET,
-    'CKK_SHA256_HMAC': CKK_SHA256_HMAC
+    'CKK_SHA256_HMAC': CKK_SHA256_HMAC,
+    'VENDOR_YUBICO_CKK_AES256_CCM_WRAP': VENDOR_YUBICO_CKK_AES256_CCM_WRAP
 }
 
 CKA_CLASS = 0
diff --git a/doc/source/install/barbican-backend.rst b/doc/source/install/barbican-backend.rst
index 827bbb21..27c32cd6 100644
--- a/doc/source/install/barbican-backend.rst
+++ b/doc/source/install/barbican-backend.rst
@@ -130,6 +130,9 @@ The PKCS#11 plugin configuration for Luna Network HSM looks like:
        # Length in bytes of master KEK
        mkek_length = 32
 
+       # Type of the MKEK
+       mkek_key_type = VENDOR_YUBICO_CKK_AES256_CCM_WRAP
+
        # Label to identify HMAC key in the HSM (must not be the same as MKEK label)
        hmac_label = 'my_hmac_label'
 
@@ -566,7 +569,8 @@ The HMAC and MKEK keys can be generated from the YubiHSM shell as follows:
     .. code-block:: bash
 
        generate wrapkey 1 0 my_mkek 1 export-wrapped:import-wrapped \
-       decrypt-cbc:decrypt-ecb:encrypt-cbc:encrypt-ecb aes256
+       decrypt-cbc:decrypt-ecb:encrypt-cbc:encrypt-ecb:exportable-under-wrap \
+       aes256-ccm-wrap
 
 KMIP Plugin
 ^^^^^^^^^^^