diff --git a/README.md b/README.md
index b9cf427..1fa6aee 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,8 @@ From there, actual system install can be performed as usual with `setup-alpine`
 Extra files may be added next to `headless.apkovl.tar.gz` to customise boostrapping configuration (check sample files):
 - `wpa_supplicant.conf`[^3] (*mandatory for wifi usecase*): define wifi SSID & password.
 - `interfaces`[^3] (*optional*): define network interfaces at will, if defaults DCHP-based are not suitable.
-- `ssh_host_*_key*` (*optional*): provide custom ssh keys to be injected (may be stored), instead of using bundled ones[^2] (not stored). Providing an empty key file will trigger new keys generation (ssh server may take longer to start).
+- `authorized_keys` (*optional*): provide client's public SSH key to secure `root` ssh login.
+- `ssh_host_*_key*` (*optional*): provide server's custom ssh keys to be injected (may be stored), instead of using bundled ones[^2] (not stored). Providing an empty key file will trigger new keys generation (ssh server may take longer to start).
 - `unattended.sh`[^3] (*optional*): create custom automated deployment script to further tune & extend actual setup (backgrounded).
 
 
diff --git a/headless.apkovl.tar.gz b/headless.apkovl.tar.gz
index 4b9b1a2..6d4d3e1 100644
Binary files a/headless.apkovl.tar.gz and b/headless.apkovl.tar.gz differ
diff --git a/overlay/etc/local.d/headless.start b/overlay/etc/local.d/headless.start
index 18afb85..dcadf60 100755
--- a/overlay/etc/local.d/headless.start
+++ b/overlay/etc/local.d/headless.start
@@ -47,7 +47,7 @@ exec 1>/dev/console 2>&1
 
 logger -st ${0##*/} "Alpine Linux headless bootstrap v$VERSION by macmpi"
 
-mkdir /tmp/.trash
+install -dm 0700 /tmp/.trash
 
 # grab used ovl filename from dmesg
 ovl="$( dmesg | grep -o 'Loading user settings from .*:' | awk '{print $5}' | sed 's/:.*$//' )"
@@ -132,12 +132,26 @@ _apk add openssh
 _preserve "/etc/ssh/sshd_config"
 _preserve "/etc/conf.d/sshd"
 
-cat <<-EOF >> /etc/ssh/sshd_config
-	AuthenticationMethods none
-	PermitEmptyPasswords yes
+cat <<-EOF > /etc/ssh/sshd_config
 	PermitRootLogin yes
 	Banner /tmp/.trash/banner
 	EOF
+	
+if install -m600 "${ovlpath}/authorized_keys" /tmp/.trash/authorized_keys; then
+	logger -st ${0##*/} "Enabling public key SSH authentication..."
+	cat <<-EOF >> /etc/ssh/sshd_config
+		AuthenticationMethods publickey
+		AuthorizedKeysFile /tmp/.trash/authorized_keys
+		# relax strict mode as authorized_keys are inside /tmp
+		StrictModes no
+		EOF
+else
+	logger -st ${0##*/} "No SSH authentication."
+	cat <<-EOF >> /etc/ssh/sshd_config
+		AuthenticationMethods none
+		PermitEmptyPasswords yes
+		EOF
+fi
 
 # Banner file
 warn=""