diff --git a/conf/type/__mysql_server/gencode-remote b/conf/type/__mysql_server/gencode-remote
index 30803a91..4c160671 100755
--- a/conf/type/__mysql_server/gencode-remote
+++ b/conf/type/__mysql_server/gencode-remote
@@ -19,50 +19,75 @@
 #
 #
 
-# to the database without requiring a passwort input
-rootpassword="$(cat "$__object/parameter/password")"
+if [ -f "$__object/parameter/no_my_cnf" ]; then
+   no_my_cnf="$(cat "$__object/parameter/no_my_cnf")"
+else
+   no_my_cnf="false"
+fi
 
-# set root password
-echo "mysqladmin -u root password $rootpassword"
+if [ -f "$__object/parameter/password" ]; then
+   rootpassword="$(cat "$__object/parameter/password")"
+else
+   rootpassword=""
+fi
 
-# store the root password in /root/.my.cnf so that processes can connect
-cat <<-EOFF
-cat <<-EOF > /root/.my.cnf
-	[client]
-	password=$rootpassword
+
+if [ "$rootpassword" != "" ]; then
+   # to the database without requiring a passwort input
+   # set root password
+   echo "mysqladmin -u root password $rootpassword"
+
+   # if we don't want to overwrite the .my.cnf, then take a backup now
+   if [ "$no_my_cnf" == "true" ]; then
+      mv /root/.my.cnf /root/.my.cnf.cdist.bkp
+   fi
+   
+   # store the root password in /root/.my.cnf so that processes can connect
+   cat <<-EOFF
+   cat <<-EOF > /root/.my.cnf
+      [client]
+      password=$rootpassword
 EOF
 EOFF
 
-# remove anonymous users
-cat <<-EOFF
-mysql -u root <<-EOF
-	DELETE FROM mysql.user WHERE User='';
+
+
+   # remove anonymous users
+   cat <<-EOFF
+   mysql -u root <<-EOF
+   	DELETE FROM mysql.user WHERE User='';
+EOF
+EOFF
+   
+   # remove remote-access for root
+   cat <<-EOFF
+   mysql -u root <<-EOF
+   	DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';
+EOF
+EOFF
+   
+   # remove test database
+   cat <<-EOFF
+   mysql -u root <<-EOF
+   	DROP DATABASE IF EXISTS test;
+EOF
+EOFF
+   cat <<-EOFF
+   mysql -u root <<-EOF
+   	DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'
+EOF
+EOFF
+   
+   # flush privileges
+   cat <<-EOFF
+   mysql -u root <<-EOF
+   	FLUSH PRIVILEGES;
 EOF
 EOFF
 
-# remove remote-access for root
-cat <<-EOFF
-mysql -u root <<-EOF
-	DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';
-EOF
-EOFF
-
-# remove test database
-cat <<-EOFF
-mysql -u root <<-EOF
-	DROP DATABASE IF EXISTS test;
-EOF
-EOFF
-cat <<-EOFF
-mysql -u root <<-EOF
-	DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'
-EOF
-EOFF
-
-# flush privileges
-cat <<-EOFF
-mysql -u root <<-EOF
-	FLUSH PRIVILEGES;
-EOF
-EOFF
+   # if we don't want to overwrite the .my.cnf, then restore the backup now
+   if [ "$no_my_cnf" == "true" ]; then
+      mv /root/.my.cnf.cdist.bkp /root/.my.cnf 
+   fi
 
+fi
diff --git a/conf/type/__mysql_server/man.text b/conf/type/__mysql_server/man.text
index 25ce3e0e..f8573051 100644
--- a/conf/type/__mysql_server/man.text
+++ b/conf/type/__mysql_server/man.text
@@ -10,7 +10,10 @@ cdist-type__mysql_server - Manage a MySQL server
 
 DESCRIPTION
 -----------
-This cdist type allows you to install a MySQL database server.
+This cdist type allows you to install a MySQL database server. The
+__mysql_server type also takes care of a few basic security tweaks that are 
+normally done by running the mysql_secure_installation script that is provided
+with MySQL.
 
 
 REQUIRED PARAMETERS
@@ -21,14 +24,28 @@ password::
 
 OPTIONAL PARAMETERS
 -------------------
-None.
+no_my_cnf::
+   The /root/.my.cnf file is used to temporary store the root password when doing
+   the mysql_secure_installation. If you want to have your own .my.cnf file, then
+   specify --no_my_cnf "true".
+   Cdist will then place your original /root/.my.cnf back once cdist has run.
 
 
 EXAMPLES
 --------
 
 --------------------------------------------------------------------------------
+# to install a MySQL server
+__mysql_server
+
+# to install a MySQL server, remove remote access, remove test databases 
+# similar to mysql_secure_installation, specify the root password
 __mysql_server --password "Uu9jooKe"
+# this will also write a /root/.my.cnf file
+
+# if you don't want cdist to write a /root/.my.cnf file permanently, specify
+# the --no_my_cnf option
+__mysql_server --password "Uu9jooKe" --no_my_cnf
 --------------------------------------------------------------------------------
 
 
diff --git a/conf/type/__mysql_server/manifest b/conf/type/__mysql_server/manifest
index a6840964..ce331998 100755
--- a/conf/type/__mysql_server/manifest
+++ b/conf/type/__mysql_server/manifest
@@ -22,6 +22,20 @@
 # install mysql-server
 __package mysql-server --state installed
 
-# store the root password in /root/.my.cnf so that processes can connect
-# to the database without requiring a passwort input
-__file "/root/.my.cnf" --group root --owner root --mode 600
+if [ -f "$__object/parameter/no_my_cnf" ]; then
+   no_my_cnf="$(cat "$__object/parameter/no_my_cnf")"
+else
+   no_my_cnf="false"
+fi
+
+if [ -f "$__object/parameter/password" ]; then
+   rootpassword="$(cat "$__object/parameter/password")"
+else
+   rootpassword=""
+fi
+
+if [ "$no_my_cnf" != "true" -a "$rootpassword" != "" ]; then
+   # store the root password in /root/.my.cnf so that processes can connect
+   # to the database without requiring a passwort input
+   __file "/root/.my.cnf" --group root --owner root --mode 600
+fi
diff --git a/conf/type/__mysql_server/parameter/optional b/conf/type/__mysql_server/parameter/optional
new file mode 100644
index 00000000..4c40596c
--- /dev/null
+++ b/conf/type/__mysql_server/parameter/optional
@@ -0,0 +1,2 @@
+no_my_cnf
+password
diff --git a/conf/type/__mysql_server/parameter/required b/conf/type/__mysql_server/parameter/required
index f3097ab1..e69de29b 100644
--- a/conf/type/__mysql_server/parameter/required
+++ b/conf/type/__mysql_server/parameter/required
@@ -1 +0,0 @@
-password