diff --git a/centos-bareon/install.d/60-bareon-install b/centos-bareon/install.d/60-bareon-install
index d046c08..7be60c9 100755
--- a/centos-bareon/install.d/60-bareon-install
+++ b/centos-bareon/install.d/60-bareon-install
@@ -29,12 +29,18 @@ else
     rpm -qi bareon >> $RELEASE_FILE
 fi
 
-# TODO(lobur): generate this key and publish together with image
-install -D -g root -o root -m 0600 ${SCRIPTDIR}/files.ironic/root/.ssh/authorized_keys /root/.ssh/authorized_keys
-chmod 0700 /root/.ssh/
 install -D -g root -o root -m 0600 ${SCRIPTDIR}/files.ironic/etc/ssh/sshd_config /etc/ssh/sshd_config
 install -D -g root -o root -m 0664 ${SCRIPTDIR}/files.ironic/etc/network /etc/sysconfig/network
 install -D -g root -o root -m 0644 ${SCRIPTDIR}/files.ironic/usr/lib/systemd/system/ironic-callback.service /usr/lib/systemd/system/ironic-callback.service
 install -D -g root -o root -m 0644 ${SCRIPTDIR}/files.ironic/etc/bareon/bareon.conf /etc/bareon/bareon.conf
 
+install -d -g root -o root -m 0700 /root/.ssh
+if [ -n "$DIB_BAREON_ROOT_PASSWORD" ]; then
+    echo "root:$DIB_BAREON_ROOT_PASSWORD" | chpasswd
+fi
+if [ -f /tmp/bareon-build/inject-ssh-key.pub ]; then
+    (umask 0077; touch /root/.ssh/authorized_keys)
+    cat "/tmp/bareon-build/inject-ssh-key.pub" > /root/.ssh/authorized_keys
+fi
+
 systemctl enable ironic-callback.service
diff --git a/centos-bareon/install.d/files.ironic/root/.ssh/authorized_keys b/centos-bareon/install.d/files.ironic/root/.ssh/authorized_keys
deleted file mode 100644
index 4a91b0c..0000000
--- a/centos-bareon/install.d/files.ironic/root/.ssh/authorized_keys
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtrVTSM8tGd4E8khJn2gfN/2fymnX/0YKAGSVZTWDNIcYL5zXTlSwrccn/8EgmnNsJNxucJRT+oWqrDGaFaehuwlY/IBqm50KJVaUr5QYzOUpqVpFIpoX3UwETCxcSB1LiQYbCvrJcqOPQ4Zu9fMhMGKaAX1ohzOumn4czuLDYIvCnPnoU5RDWt7g1GaFFlzGU3JFooj7/aWFJMqJLinvay3vr2vFpBvO1y29nKu+zgpZkzzJCc0ndoVqvB+W9DY6QtgTSWfd3ZE/8vg4h8QV8H+xxqL/uWCxDkv2Y3rviAHivR/V+1YCSQH0NBJrNSkRjd+1roLhcEGT7/YEnbgVV nailgun@bootstrap
diff --git a/centos-bareon/post-install.d/80-bareon b/centos-bareon/post-install.d/80-bareon
index af16172..0e7494d 100755
--- a/centos-bareon/post-install.d/80-bareon
+++ b/centos-bareon/post-install.d/80-bareon
@@ -7,3 +7,4 @@ set -eu
 set -o pipefail
 
 rm -rf /tmp/bareon
+rm -r /tmp/bareon-build
diff --git a/centos-bareon/root.d/10-create-repo b/centos-bareon/root.d/10-create-repo
index bd97b81..76d2625 100755
--- a/centos-bareon/root.d/10-create-repo
+++ b/centos-bareon/root.d/10-create-repo
@@ -11,4 +11,3 @@ set -e
 sudo mkdir -p $TARGET_ROOT/etc/yum.repos.d
 sudo cp /etc/yum.repos.d/*.repo $TARGET_ROOT/etc/yum.repos.d/
 sudo cp /etc/pki/rpm-gpg/* $TARGET_ROOT/etc/pki/rpm-gpg/
-
diff --git a/centos-bareon/root.d/60-bareon-inject-data b/centos-bareon/root.d/60-bareon-inject-data
new file mode 100755
index 0000000..fc2849f
--- /dev/null
+++ b/centos-bareon/root.d/60-bareon-inject-data
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
+    set -x
+fi
+
+# inject files into future chroot
+install -m 0700 -d "$TARGET_ROOT/tmp/bareon-build"
+if [ -n "$DIB_BAREON_INJECT_SSH_KEY" ]; then
+    cp "$DIB_BAREON_INJECT_SSH_KEY" "$TARGET_ROOT/tmp/bareon-build/inject-ssh-key.pub"
+fi