diff --git a/lib/tiny-cloud/user-data/cloud-config b/lib/tiny-cloud/user-data/cloud-config
index c389b90..ab09880 100644
--- a/lib/tiny-cloud/user-data/cloud-config
+++ b/lib/tiny-cloud/user-data/cloud-config
@@ -244,7 +244,7 @@ in_list() {
 init__userdata_users() {
 	local i users="$(get_userdata users)"
 	for i in $users; do
-		local name="" gecos="" homedir="" shell="" primary_group="" groups=""
+		local name="" gecos="" homedir="" shell="" primary_group="" groups="" passwd="" hashed_passwd=""
 		local system=false no_create_home=false lock_passwd=true
 		local keys="$(get_userdata users/$i)"
 		if [ "$i" = 1 ] && [ "$keys" = "default" ]; then
@@ -273,6 +273,10 @@ init__userdata_users() {
 		if in_list no_create_home $keys; then
 			no_create_home="$(get_userdata users/$i/no_create_home)"
 		fi
+		if in_list passwd $keys; then
+			passwd="$(get_userdata users/$i/passwd)"
+			echo "${user}:${passwd}" | $MOCK chpasswd -e
+		fi
 
 		if getent passwd "$user" >/dev/null; then
 			log -i -t "$phase" info "$ACTION: user $user already exists"
@@ -286,12 +290,17 @@ init__userdata_users() {
 			$MOCK adduser -D ${gecos:+-g "$gecos"} ${homedir:+-h "$homedir"} ${shell:+-s "$shell"} ${primary_group:+-G "$primary_group"} ${system:+-S} ${no_create_home:+-H} "$name"
 		fi
 
+		if in_list hashed_passwd $keys; then
+			hashed_passwd="$(get_userdata users/$i/hashed_passwd)"
+			echo "${name}:${hashed_passwd}" | $MOCK chpasswd -e
+		fi
+
 		if in_list lock_passwd $keys; then
 			lock_passwd="$(get_userdata users/$i/lock_passwd)"
 		fi
 
-		if [ "$lock_passwd" != "false" ]; then
-			echo "$name:*" | $MOCK chpasswd -e
+		if [ "$lock_passwd" != "false" ] && [ -z "$hashed_passwd" ]; then
+			echo "${name}:*" | $MOCK chpasswd -e
 		fi
 
 		if in_list ssh_authorized_keys $keys; then
diff --git a/tests/tiny-cloud-alpine.test b/tests/tiny-cloud-alpine.test
index b9024f3..fdef0b1 100755
--- a/tests/tiny-cloud-alpine.test
+++ b/tests/tiny-cloud-alpine.test
@@ -30,6 +30,8 @@ init_tests \
 	userdata_users_system \
 	userdata_users_no_create_home \
 	userdata_users_groups \
+	userdata_users_passwd \
+	userdata_users_hashed_passwd \
 	userdata_users_lock_passwd \
 	userdata_users_doas \
 	userdata_users_doas_with_default \
@@ -385,6 +387,38 @@ userdata_users_groups_body() {
 		tiny-cloud main
 }
 
+userdata_users_passwd_body() {
+	# first specified user will replace default user
+	fake_userdata_nocloud <<-EOF
+		#alpine-config
+		users:
+		  - none
+		  - name: foo
+		    passwd: $6$foosalt$QuhZ.r54aqCAn7mTnU4jBh9LPyuVQCa8.H0dZWCMYHVaNzsPX/heqKqI3EtnB6j.YLuaENmnlEHTiwu.iVVcG1
+	EOF
+	atf_check -e ignore -o ignore tiny-cloud early
+	atf_check \
+		-e match:"userdata_users: done" \
+		-o match:"chpasswd -e" \
+		tiny-cloud main
+}
+
+userdata_users_hashed_passwd_body() {
+	# first specified user will replace default user
+	fake_userdata_nocloud <<-EOF
+		#alpine-config
+		users:
+		  - none
+		  - name: foo
+		    hashed_passwd: $6$foosalt$QuhZ.r54aqCAn7mTnU4jBh9LPyuVQCa8.H0dZWCMYHVaNzsPX/heqKqI3EtnB6j.YLuaENmnlEHTiwu.iVVcG1
+	EOF
+	atf_check -e ignore -o ignore tiny-cloud early
+	atf_check \
+		-e match:"userdata_users: done" \
+		-o match:"chpasswd -e" \
+		tiny-cloud main
+}
+
 userdata_users_lock_passwd_body() {
 	# first specified user will replace default user
 	fake_userdata_nocloud <<-EOF