diff --git a/.gitignore b/.gitignore
index 9c27f10..b4f9a5c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 *.asc
 image/*.raw
 *.raw
+secret/*
diff --git a/BUILD.sh b/BUILD.sh
index a56522b..793e0e2 100755
--- a/BUILD.sh
+++ b/BUILD.sh
@@ -9,6 +9,11 @@ if [ "$UID" != "0" ]; then
 	 exit 2
 fi
 
+if ! command -v "ssh-keygen"; then
+	 echo "ssh-keygen is required for guest setup."
+	 exit 1
+fi
+
 PATH="$PWD/scripts:$PATH"
 
 if [[ "$CLOUD_CONFIG_REPO" -eq "" ]]; then
@@ -42,9 +47,25 @@ IMAGE_NAME=${IMAGE_NAME:-bearcloud}
 echo "Image tag: $IMAGE_NAME:$IMAGE_TAG and $IMAGE_NAME:latest"
 echo "Additional arguments for VM image: $VM_OPTS"
 echo "Additional arguments for Hypervisor Image: $HY_OPTS"
+echo "Missing secret files like ssh host key will be automatically created."
 echo "Continue?"
 read
 
+declare -A PRIVATE_KEYS=(["ssh_host_ecdsa_key"]="ecdsa" 
+	 ["ssh_host_ed25519_key"]="ed25519" 
+	 ["ssh_host_rsa_key"]="rsa")
+
+for item in "${!PRIVATE_KEYS[@]}"; do
+	 subject="secret/$item"
+	 if [[ ! -f $subject ]]; then
+		  echo "Creating missing secret $subject"
+		  ssh-keygen -t "${PRIVATE_KEYS[$item]}" -f "$subject" \
+				-C "automatically generated bearcloud ssh key" \
+				-N ""
+		  ssh-keygen -y -f "$subject" > "${subject}_pub"
+	 fi
+done
+
 BUILDERS=$(docker buildx ls)
 if ! (echo $BUILDERS | grep -q "bearcloud"); then
     docker buildx create --name bearcloud --buildkitd-flags '--allow-insecure-entitlement security.insecure'
diff --git a/image/overlay/etc/ssh/ssh_config.d/10-disable-password.conf b/image/overlay/etc/ssh/ssh_config.d/10-disable-password.conf
new file mode 100644
index 0000000..18f360e
--- /dev/null
+++ b/image/overlay/etc/ssh/ssh_config.d/10-disable-password.conf
@@ -0,0 +1,4 @@
+KbdInteractiveAuthentication no
+PasswordAuthentication no
+PubkeyAuthentication yes
+
diff --git a/secret/.gitkeep b/secret/.gitkeep
new file mode 100644
index 0000000..e69de29