diff --git a/bootstrapvz/plugins/root_password/README.rst b/bootstrapvz/plugins/root_password/README.rst
index c2f37c8..f82d64d 100644
--- a/bootstrapvz/plugins/root_password/README.rst
+++ b/bootstrapvz/plugins/root_password/README.rst
@@ -6,6 +6,15 @@ SSH password authentication.
 
 Settings
 ~~~~~~~~
+``oneOf``
 
 -  ``password``: The password for the root user.
-   ``required``
+-  ``password-crypted``: The password for the root user[crypt(3) hash]
+
+The following command (available from the **whois** package) can be used
+to generate a SHA-512 based crypt(3) hash for a password:
+
+.. code-block:: shell
+
+  mkpasswd -m sha-512
+
diff --git a/bootstrapvz/plugins/root_password/manifest-schema.yml b/bootstrapvz/plugins/root_password/manifest-schema.yml
index f91ef63..5958b34 100644
--- a/bootstrapvz/plugins/root_password/manifest-schema.yml
+++ b/bootstrapvz/plugins/root_password/manifest-schema.yml
@@ -8,7 +8,10 @@ properties:
     properties:
       root_password:
         type: object
+        oneOf:
+          - required: [password]
+          - required: [password-crypted]
         properties:
           password: {type: string}
-        required: [password]
+          password-crypted: {type: string}
         additionalProperties: false
diff --git a/bootstrapvz/plugins/root_password/tasks.py b/bootstrapvz/plugins/root_password/tasks.py
index b4ee7b3..fe2d189 100644
--- a/bootstrapvz/plugins/root_password/tasks.py
+++ b/bootstrapvz/plugins/root_password/tasks.py
@@ -9,5 +9,10 @@ class SetRootPassword(Task):
     @classmethod
     def run(cls, info):
         from bootstrapvz.common.tools import log_check_call
-        log_check_call(['chroot', info.root, 'chpasswd'],
-                       'root:' + info.manifest.plugins['root_password']['password'])
+        password_crypted = info.manifest.plugins['root_password'].get('password-crypted', None)
+        if password_crypted is not None:
+            log_check_call(['chroot', info.root, '/usr/sbin/chpasswd', '--encrypted'],
+                           'root:' + password_crypted)
+        else:
+            log_check_call(['chroot', info.root, '/usr/sbin/chpasswd'],
+                           'root:' + info.manifest.plugins['root_password']['password'])
diff --git a/manifests/examples/virtualbox/stretch-vagrant.yml b/manifests/examples/virtualbox/stretch-vagrant.yml
index c0dc0f1..87a3334 100644
--- a/manifests/examples/virtualbox/stretch-vagrant.yml
+++ b/manifests/examples/virtualbox/stretch-vagrant.yml
@@ -28,3 +28,5 @@ volume:
 packages: {}
 plugins:
   vagrant: {}
+  root_password:
+    password-crypted: $6$MU3jLtZHS$UHdibqwOJrZw5yI7cqzG.AnzWqOVD9krryd3Y/SgXDSHUEMsaT7iAiQHhuCpjN4Q0tEssbJYoy4H1QFxOY3Tc/