diff --git a/bitbucket/resource_deployment_variable.go b/bitbucket/resource_deployment_variable.go
index 871693d8..39ae30ca 100644
--- a/bitbucket/resource_deployment_variable.go
+++ b/bitbucket/resource_deployment_variable.go
@@ -4,12 +4,13 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"github.com/hashicorp/terraform/helper/schema"
 	"io/ioutil"
 	"log"
 	"net/url"
 	"strings"
 	"time"
+
+	"github.com/hashicorp/terraform/helper/schema"
 )
 
 // DeploymentVariable structure for handling key info
@@ -45,8 +46,14 @@ func resourceDeploymentVariable() *schema.Resource {
 				Required: true,
 			},
 			"value": {
-				Type:     schema.TypeString,
-				Required: true,
+				Type:      schema.TypeString,
+				Required:  true,
+				Sensitive: true,
+			},
+			"hash": {
+				Type:      schema.TypeString,
+				Computed:  true,
+				Sensitive: true,
 			},
 			"secured": {
 				Type:     schema.TypeBool,
@@ -106,6 +113,7 @@ func resourceDeploymentVariableCreate(d *schema.ResourceData, m interface{}) err
 		return decodeerr
 	}
 	d.Set("uuid", rv.UUID)
+	d.Set("hash", hashValue(rvcr.Value))
 	d.SetId(rv.UUID)
 
 	time.Sleep(5000 * time.Millisecond) // sleep for a while, to allow BitBucket cache to catch up
@@ -145,8 +153,18 @@ func resourceDeploymentVariableRead(d *schema.ResourceData, m interface{}) error
 			if rv.UUID == uuid {
 				d.SetId(rv.UUID)
 				d.Set("key", rv.Key)
-				d.Set("value", rv.Value)
 				d.Set("secured", rv.Secured)
+				switch {
+				case rv.Secured:
+					v := d.Get("value").(string)
+					h := d.Get("hash").(string)
+					if hashValue(v) != h {
+						d.Set("value", "")
+						d.Set("hash", "")
+					}
+				default:
+					d.Set("value", rv.Value)
+				}
 				return nil
 			}
 		}
@@ -184,6 +202,7 @@ func resourceDeploymentVariableUpdate(d *schema.ResourceData, m interface{}) err
 		return nil
 	}
 
+	d.Set("hash", hashValue(rvcr.Value))
 	return resourceDeploymentVariableRead(d, m)
 }
 
diff --git a/bitbucket/resource_repository_variable.go b/bitbucket/resource_repository_variable.go
index 825e942b..917fded5 100644
--- a/bitbucket/resource_repository_variable.go
+++ b/bitbucket/resource_repository_variable.go
@@ -2,6 +2,7 @@ package bitbucket
 
 import (
 	"bytes"
+	"crypto/md5"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -11,6 +12,11 @@ import (
 	"github.com/hashicorp/terraform/helper/schema"
 )
 
+func hashValue(v string) string {
+	b := md5.Sum([]byte(v))
+	return fmt.Sprintf("%x", b)
+}
+
 // RepositoryVariable structure for handling key info
 type RepositoryVariable struct {
 	Key     string `json:"key"`
@@ -36,8 +42,14 @@ func resourceRepositoryVariable() *schema.Resource {
 				Required: true,
 			},
 			"value": {
-				Type:     schema.TypeString,
-				Required: true,
+				Type:      schema.TypeString,
+				Required:  true,
+				Sensitive: true,
+			},
+			"hash": {
+				Type:      schema.TypeString,
+				Computed:  true,
+				Sensitive: true,
 			},
 			"secured": {
 				Type:     schema.TypeBool,
@@ -90,6 +102,7 @@ func resourceRepositoryVariableCreate(d *schema.ResourceData, m interface{}) err
 		return decodeerr
 	}
 	d.Set("uuid", rv.UUID)
+	d.Set("hash", hashValue(rvcr.Value))
 	d.SetId(rv.Key)
 
 	return resourceRepositoryVariableRead(d, m)
@@ -119,8 +132,18 @@ func resourceRepositoryVariableRead(d *schema.ResourceData, m interface{}) error
 
 		d.Set("uuid", rv.UUID)
 		d.Set("key", rv.Key)
-		d.Set("value", rv.Value)
 		d.Set("secured", rv.Secured)
+		switch {
+		case rv.Secured:
+			v := d.Get("value").(string)
+			h := d.Get("hash").(string)
+			if hashValue(v) != h {
+				d.Set("value", "")
+				d.Set("hash", "")
+			}
+		default:
+			d.Set("value", rv.Value)
+		}
 	}
 
 	if rvReq.StatusCode == 404 {
@@ -152,6 +175,7 @@ func resourceRepositoryVariableUpdate(d *schema.ResourceData, m interface{}) err
 		return nil
 	}
 
+	d.Set("hash", hashValue(rvcr.Value))
 	return resourceRepositoryVariableRead(d, m)
 }