diff --git a/README.md b/README.md
index 29fbc97..f56c3fa 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,14 @@ Configure ssh public key for root user via `mdata` variable.
 
 - `root_authorized_keys`: ssh public key for the root user
 
+### root ssh public private key
+
+Configure ssh public and private key pair for root user via `mdata`. We only
+support rsa keys.
+
+- `root_ssh_rsa`: private ssh rsa key for root user
+- `root_ssh_rsa_pub`: public ssh key for root user (mostly not required)
+
 ### munin
 
 List of ip addresses of the munin master server that is allowed to connect. The ip addresses should be seperated by whitespace or newline.
diff --git a/copy/opt/core/var/mdata-setup/includes/02-root-ssh-keys.sh b/copy/opt/core/var/mdata-setup/includes/02-root-ssh-keys.sh
new file mode 100644
index 0000000..e40def1
--- /dev/null
+++ b/copy/opt/core/var/mdata-setup/includes/02-root-ssh-keys.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# Configure ssh public and private key for root user in mdata variable
+
+if mdata-get root_ssh_rsa 1>/dev/null 2>&1; then
+	mkdir -p /root/.ssh
+	echo "# This file is managed by mdata-get root_ssh_rsa" \
+		> /root/.ssh/id_rsa
+	mdata-get root_ssh_rsa >> /root/.ssh/id_rsa
+
+	# Mostly not required but we only support it with privat key
+	if mdata-get root_ssh_rsa_pub 1>/dev/null 2>&1; then
+		echo "# This file is managed by mdata-get root_ssh_rsa_pub" \
+			> /root/.ssh/id_rsa.pub
+		mdata-get root_ssh_rsa_pub >> /root/.ssh/id_rsa.pub
+	fi
+
+	# Set correct permissions
+	chmod 700 /root/.ssh
+	chmod 600 /root/.ssh/id_rsa*
+fi