diff --git a/README.md b/README.md
index 23476e0..2da52eb 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ From there, system install can be performed as usual with `setup-alpine` for ins
 Add-on files may be added next to `headless.apkovl.tar.gz` to customise boostrapping configuration (sample files are provided):
 - `wpa_supplicant.conf`[^2] (*mandatory for wifi usecase*): define wifi SSID & password.
 - `interfaces`[^2] (*optional*): define network interfaces at will, if defaults DCHP-based are not suitable.
-- `ssh_host_*_key*` (*optional*): provide custom ssh keys to be injected (may be stored), instead of using bundled ones[^1] (not stored).
+- `ssh_host_*_key*` (*optional*): provide custom ssh keys to be injected (may be stored), instead of using bundled ones[^1] (not stored). Providing an empty key file will trigger new keys generation (ssh server may take longer to start).
 - `unattended.sh`[^2] (*optional*): create custom automated deployment script to further tune & extend actual setup (backgrounded).
 
 
diff --git a/headless.apkovl.tar.gz b/headless.apkovl.tar.gz
index 802c8a8..c2a2dfd 100644
Binary files a/headless.apkovl.tar.gz and b/headless.apkovl.tar.gz differ
diff --git a/overlay/etc/local.d/headless.start b/overlay/etc/local.d/headless.start
index e7c783e..9ca648b 100755
--- a/overlay/etc/local.d/headless.start
+++ b/overlay/etc/local.d/headless.start
@@ -94,10 +94,6 @@ cat <<-EOF >> /etc/ssh/sshd_config
 	Banner /tmp/.trash/banner
 	EOF
 
-cat <<-EOF >> /etc/conf.d/sshd
-	sshd_disable_keygen=yes
-	EOF
-
 # banner file
 cat <<-EOF > /tmp/.trash/banner
 
@@ -115,6 +111,20 @@ if ! install -m600 "${ovlpath}"/ssh_host_*_key* /etc/ssh/; then
 		HostKey /tmp/.trash/ssh_host_ed25519_key
 		HostKey /tmp/.trash/ssh_host_rsa_key
 		EOF
+	cat <<-EOF >> /etc/conf.d/sshd
+		sshd_disable_keygen=yes
+		EOF
+else
+	# look for empty key within injected ones: generate new keys if found
+	if find /etc/ssh/ -maxdepth 1 -type f -name 'ssh_host_*_key*' -empty | grep -q .; then
+		rm /etc/ssh/ssh_host_*_key*
+		logger -st ${0##*/} "Will generate new SSH keys..."
+	else
+		logger -st ${0##*/} "Using injected SSH keys..."
+		cat <<-EOF >> /etc/conf.d/sshd
+			sshd_disable_keygen=yes
+			EOF
+	fi
 fi
 
 rc-service sshd start