diff --git a/airootfs/etc/tmpfiles.d/ssh_authorized_keys.conf b/airootfs/etc/tmpfiles.d/ssh_authorized_keys.conf
new file mode 100644
index 0000000..b7e29bf
--- /dev/null
+++ b/airootfs/etc/tmpfiles.d/ssh_authorized_keys.conf
@@ -0,0 +1,14 @@
+# create an empty /root/.ssh/authorized_keys file with correct permissions
+# this makes adding a key easier since the correct permissions are already set
+#
+# this builds upon /usr/lib/tmpfiles.d/provision.conf
+# and supports adding entries via https://systemd.io/CREDENTIALS/
+#
+# See tmpfiles.d(5) for details
+#
+
+# Provision SSH key for root
+d- /root :0700 root :root -
+d- /root/.ssh :0700 root :root -
+f /root/.ssh/authorized_keys :0600 root :root -
+w+^ /root/.ssh/authorized_keys :0600 root :root - ssh.authorized_keys.root