diff --git a/lib/kafo/configuration.rb b/lib/kafo/configuration.rb
index c684b79..9cc720e 100644
--- a/lib/kafo/configuration.rb
+++ b/lib/kafo/configuration.rb
@@ -1,5 +1,6 @@
 # encoding: UTF-8
 require 'yaml'
+require 'tmpdir'
 require 'kafo/puppet_module'
 require 'kafo/password_manager'
 
@@ -75,8 +76,11 @@ module Kafo
 
     def params_default_values
       @params_default_values ||= begin
+        @logger.debug "Creating tmp dir within #{app[:default_values_dir]}..."
+        temp_dir = Dir.mktmpdir(nil, app[:default_values_dir])
+        KafoConfigure.register_cleanup_path temp_dir
         @logger.info "Parsing default values from puppet modules..."
-        command = PuppetCommand.new("#{includes} dump_values(#{params})").append('2>&1').command
+        command = PuppetCommand.new("$temp_dir=\"#{temp_dir}\" #{includes} dump_values(#{params})").append('2>&1').command
         @logger.debug `#{command}`
         unless $?.exitstatus == 0
           log = app[:log_dir] + '/' + app[:log_name]
@@ -85,7 +89,7 @@ module Kafo
           KafoConfigure.exit(:defaults_error)
         end
         @logger.info "... finished"
-        YAML.load_file(File.join(KafoConfigure.config.app[:default_values_dir], 'default_values.yaml'))
+        YAML.load_file(File.join(temp_dir, 'default_values.yaml'))
       end
     end
 
diff --git a/lib/kafo/kafo_configure.rb b/lib/kafo/kafo_configure.rb
index a99ce0f..0eebb61 100644
--- a/lib/kafo/kafo_configure.rb
+++ b/lib/kafo/kafo_configure.rb
@@ -24,12 +24,15 @@ module Kafo
   class KafoConfigure < Clamp::Command
     include StringHelper
 
-
     class << self
       attr_accessor :config, :root_dir, :config_file, :gem_root, :temp_config_file,
                     :modules_dir, :kafo_modules_dir, :verbose, :app_options, :logger
       attr_writer :hooking
 
+      def cleanup_paths
+        @cleanup_paths ||= []
+      end
+
       def hooking
         @hooking ||= Hooking.new
       end
@@ -113,6 +116,7 @@ module Kafo
     end
 
     def self.exit(code)
+      cleanup
       @exit_code = translate_exit_code(code)
       throw :exit
     end
@@ -136,6 +140,26 @@ module Kafo
       end
     end
 
+    def self.cleanup
+      # make sure default values are removed from /tmp
+      (self.cleanup_paths + ['/tmp/default_values.yaml']).each do |file|
+        logger.debug "Cleaning #{file}"
+        FileUtils.rm_rf(file)
+      end
+    end
+
+    def self.register_cleanup_path(path)
+      self.cleanup_paths<< path
+    end
+
+    def register_cleanup_path(path)
+      self.class.register_cleanup_path(path)
+    end
+
+    def cleanup_paths
+      self.class.cleanup_paths
+    end
+
     def help
       self.class.help(invocation_path, self)
     end
diff --git a/modules/kafo_configure/lib/puppet/parser/functions/dump_values.rb b/modules/kafo_configure/lib/puppet/parser/functions/dump_values.rb
index 9bbc8cd..c2a2392 100644
--- a/modules/kafo_configure/lib/puppet/parser/functions/dump_values.rb
+++ b/modules/kafo_configure/lib/puppet/parser/functions/dump_values.rb
@@ -9,7 +9,13 @@ module Puppet::Parser::Functions
       [arg, found_value.nil? ? arg : found_value]
     end
     data = Hash[data]
-    dump_dir = YAML.load_file(lookupvar('kafo_config_file'))[:default_values_dir]
-    File.open("#{dump_dir}/default_values.yaml", 'w') { |file| file.write(YAML.dump(data)) }
+
+    dump_dir = lookupvar('temp_dir')
+    file_name = "#{dump_dir}/default_values.yaml"
+    raise SecurityError, "#{file_name} already exist, can't dump data to it" if File.exist?(file_name)
+
+    FileUtils.touch file_name
+    File.chmod 0600, file_name
+    File.open(file_name, 'w') { |file| file.write(YAML.dump(data)) }
   end
 end