diff --git a/bind.spec b/bind.spec
index cde769e..f7ff9dc 100644
--- a/bind.spec
+++ b/bind.spec
@@ -799,8 +799,7 @@ sed -e '/^tp:.*-pkcs11/ d' -e '/^tp:\s*lwres/ d' \
 %check
 %if %{with PKCS11}
   # Tests require initialization of pkcs11 token
-  export SOFTHSM2_CONF="`pwd`/softhsm2.conf"
-  sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens"
+  eval $(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")
 %endif
 
 %if %{with UNITTEST}
diff --git a/setup-named-softhsm.sh b/setup-named-softhsm.sh
index 7ae0a6d..a13c91e 100755
--- a/setup-named-softhsm.sh
+++ b/setup-named-softhsm.sh
@@ -2,6 +2,11 @@
 #
 # This script will initialise token storage of softhsm PKCS11 provider
 # in custom location. Is useful to store tokens in non-standard location.
+#
+# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
+# Recommended use:
+# eval $(bash setup-named-softhsm.sh -A)
+#
 
 SOFTHSM2_CONF="$1"
 TOKENPATH="$2"
@@ -10,14 +15,55 @@ GROUPNAME="$3"
 # This is intended for crypto accelerators using PKCS11 interface.
 # Uninitialized token would fail any crypto operation.
 PIN=1234
+SO_PIN=1234
+LABEL=rpm
 
 set -e
 
+echo_i()
+{
+	echo "#" $@
+}
+
+random()
+{
+	if [ -x "$(which openssl 2>/dev/null)" ]; then
+		openssl rand -base64 $1
+	else
+		dd if=/dev/urandom bs=1c count=$1 | base64
+	fi
+}
+
+usage()
+{
+	echo "Usage: $0 -A [token directory] [group]"
+	echo "   or: $0 <config file> <token directory> [group]"
+}
+
+if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
+	TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
+fi
+
 if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
-	echo "Usage: $0 <config file> <token directory> [group]" >&2
+	usage >&2
 	exit 1
 fi
 
+if [ "$SOFTHSM2_CONF" = "-A" ]; then
+	# Automagic mode instead
+	MODE=secure
+	SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
+	PIN_SOURCE="$TOKENPATH/pin"
+	SOPIN_SOURCE="$TOKENPATH/so-pin"
+	TOKENPATH="$TOKENPATH/tokens"
+else
+	MODE=legacy
+fi
+
+[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+
+umask 0022
+
 if ! [ -f "$SOFTHSM2_CONF" ]; then
 cat  << SED > "$SOFTHSM2_CONF"
 # SoftHSM v2 configuration file
@@ -32,19 +78,36 @@ log.level = ERROR
 slots.removable = false
 SED
 else
-	echo "Config file $SOFTHSM2_CONF already exists" >&2
+	echo_i "Config file $SOFTHSM2_CONF already exists" >&2
 fi
 
-[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+if [ -n "$PIN_SOURCE" ]; then
+	touch "$PIN_SOURCE" "$SOPIN_SOURCE"
+	chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
+	if [ -n "$GROUPNAME" ]; then
+		chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
+		chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
+	fi
+fi
 
 export SOFTHSM2_CONF
 
 if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
 then
-	echo "Token in ${TOKENPATH} is already initialized" >&2
+	echo_i "Token in ${TOKENPATH} is already initialized" >&2
+
+	[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
+	[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
 else
-	echo "Initializing tokens to ${TOKENPATH}..."
-	softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN
+	PIN=$(random 6)
+	SO_PIN=$(random 18)
+	if [ -n "$PIN_SOURCE" ]; then
+		echo -n "$PIN" > "$PIN_SOURCE"
+		echo -n "$SO_PIN" > "$SOPIN_SOURCE"
+	fi
+
+	echo_i "Initializing tokens to ${TOKENPATH}..."
+	softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
 
 	if [ -n "$GROUPNAME" ]; then
 		chgrp -R -- "$GROUPNAME" "$TOKENPATH"
@@ -53,3 +116,8 @@ else
 fi
 
 echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
+echo "export PIN_SOURCE=\"$PIN_SOURCE\""
+echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
+# These are intentionaly not exported
+echo "PIN=\"$PIN\""
+echo "SO_PIN=\"$SO_PIN\""