diff --git a/puppet/lib/puppet/indirector/facts/puppetdb.rb b/puppet/lib/puppet/indirector/facts/puppetdb.rb
index 2c19aa08e6..0ff0b4c181 100644
--- a/puppet/lib/puppet/indirector/facts/puppetdb.rb
+++ b/puppet/lib/puppet/indirector/facts/puppetdb.rb
@@ -16,6 +16,23 @@ def get_trusted_info(node)
     trusted.to_h
   end
 
+  def filter_facts(obj, blacklist, blacklist_regexps, path = [])
+    regexps = blacklist_regexps.map { |re| Regexp.new(re) }
+    case obj
+    when Hash
+      obj.each_with_object({}) do |(k, v), h|
+        full_path = (path + [k]).join('.')
+        excluded = blacklist.include?(full_path) || regexps.any? { |re| full_path =~ re }
+        next if excluded
+        h[k] = filter_facts(v, blacklist, blacklist_regexps, path + [k])
+      end
+    when Array
+      obj.map.with_index { |v, i| filter_facts(v, blacklist, blacklist_regexps, path + [i.to_s]) }
+    else
+      obj
+    end
+  end
+
   def save(request)
     profile("facts#save", [:puppetdb, :facts, :save, request.key]) do
       current_time = Time.now
@@ -31,6 +48,19 @@ def save(request)
           package_inventory = inventory['packages'] if inventory.respond_to?(:keys)
           facts.values.delete('_puppet_inventory_1')
 
+          fact_names_blacklist = Puppet::Util::Puppetdb.config.fact_names_blacklist
+
+          fact_names_blacklist.each{|blacklisted_fact_name|
+            facts.values.delete(blacklisted_fact_name)
+          }
+
+          fact_names_blacklist_regexps = Puppet::Util::Puppetdb.config.fact_names_blacklist_regex
+          facts.values = filter_facts(
+            facts.values,
+            fact_names_blacklist,
+            fact_names_blacklist_regexps
+          )
+
           payload_value = {
             "certname" => facts.name,
             "values" => facts.values,
diff --git a/puppet/lib/puppet/util/puppetdb/config.rb b/puppet/lib/puppet/util/puppetdb/config.rb
index 61284431c9..a108331896 100644
--- a/puppet/lib/puppet/util/puppetdb/config.rb
+++ b/puppet/lib/puppet/util/puppetdb/config.rb
@@ -18,7 +18,9 @@ def self.load(config_file = nil)
         :submit_only_server_urls     => "",
         :command_broadcast           => false,
         :sticky_read_failover        => false,
-        :verify_client_certificate   => true
+        :verify_client_certificate   => true,
+        :fact_names_blacklist       => "",
+        :fact_names_blacklist_regex => ""
       }
 
       config_file ||= File.join(Puppet[:confdir], "puppetdb.conf")
@@ -71,7 +73,9 @@ def self.load(config_file = nil)
            :submit_only_server_urls,
            :command_broadcast,
            :sticky_read_failover,
-           :verify_client_certificate].include?(k))
+           :verify_client_certificate,
+           :fact_names_blacklist,
+           :fact_names_blacklist_regex].include?(k))
       end
 
       parsed_urls = config_hash[:server_urls].split(",").map {|s| s.strip}
@@ -108,6 +112,10 @@ def self.load(config_file = nil)
           "or equal to the number of server_urls (#{config_hash[:server_urls].length})"
       end
 
+      config_hash[:fact_names_blacklist] = config_hash[:fact_names_blacklist].split(",").map {|s| s.strip}
+
+      config_hash[:fact_names_blacklist_regex] = config_hash[:fact_names_blacklist_regex].split(",").map {|s| s.strip}
+
       self.new(config_hash)
     rescue => detail
       Puppet.log_exception detail, "Could not configure PuppetDB terminuses: #{detail.message}", {level: :warning}
@@ -160,6 +168,15 @@ def verify_client_certificate
       config[:verify_client_certificate]
     end
 
+    def fact_names_blacklist
+      config[:fact_names_blacklist]
+    end
+
+    def fact_names_blacklist_regex
+      config[:fact_names_blacklist_regex]
+    end
+
+
     # @!group Private instance methods
 
     # @!attribute [r] count