diff --git a/README.md b/README.md
index 24c4d56..8e1fafc 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,7 @@ Launching an instance with the following as userdata will create users
     }
 
 This userdata points to the bucket keys.30mhz.com, and expects an object with the name `jasper@9apps.net`, for the key of the user `jasper`.
+If the bucket has an object with the name `jasper@9apps.net.private` this file will be installed as a private ssh key for the user `jasper`.
 
 NOTE: for ubuntu, change in the userdata: <"groups" : [ "wheel" ]> into <"groups" : [ "sudo" ]>
 as Ubuntu has no wheel group!
@@ -89,5 +90,6 @@ User accounts on instances in most systems are only used for (administering) acc
 * full name (comment)
 * groups
 * authorized keys
+* private key (optional)
 
-We put username, email, full name and groups in userdata. Authorized keys are stored in S3, in objects with the email as their key name.
+We put username, email, full name and groups in userdata. Authorized and private keys are stored in S3, in objects with the email as their key name.
diff --git a/users b/users
index 315de83..64e9178 100755
--- a/users
+++ b/users
@@ -28,6 +28,7 @@ if not ('security' in userdata and 'users' in userdata['security']):
 s3 = boto.connect_s3()
 keys = s3.get_bucket(userdata['security']['bucket'], validate=False)
 key = boto.s3.key.Key(keys)
+privatekey = boto.s3.key.Key(keys)
 
 if "provision" == sys.argv[1]:
 	for username in userdata['security']['users']:
@@ -40,9 +41,17 @@ if "provision" == sys.argv[1]:
 											username))
 
 		key.key = user['email']
-		os.system("/bin/mkdir --mode=0755 -p /home/{0}/.ssh".format(username))
+		os.system("/bin/mkdir --mode=0700 -p /home/{0}/.ssh".format(username))
 		key.get_contents_to_filename(
 							"/home/{0}/.ssh/authorized_keys".format(username))
+		try:
+			privatekey.key = "{0}.private".format(user['email'])
+			privatekey.get_contents_to_filename(
+							"/home/{0}/.ssh/id_rsa".format(username))
+			os.system("chmod 600 /home/{0}/.ssh/id_rsa".format(username))
+		except:
+			sys.stdout.write(" {0} has no private key to provision".format(username))
+
 		os.system("chown -R {0}.{0} /home/{0}".format(username))
 elif "remove" == sys.argv[1]:
 	for username in userdata['security']['users']:
@@ -65,6 +74,16 @@ elif "update" == sys.argv[1]:
 		except:
 			os.remove("/home/{0}/.ssh/authorized_keys".format(username))
 
+		try:
+			privatekey.key = "{0}.private".format(user['email'])
+			privatekey.exists()
+			privatekey.get_contents_to_filename(
+							"/home/{0}/.ssh/id_rsa".format(username))
+			os.system("chmod 600 /home/{0}/.ssh/id_rsa".format(username))
+		except:
+			# also remove
+			os.remove("/home/{0}/.ssh/id_rsa".format(username))
+
 		os.system("chown -R {0}.{0} /home/{0}".format(username))
 else:
 	pass
diff --git a/users_ubuntu b/users_ubuntu
index abd0085..1858dca 100644
--- a/users_ubuntu
+++ b/users_ubuntu
@@ -30,6 +30,7 @@ if not ('security' in userdata and 'users' in userdata['security']):
 s3 = boto.connect_s3()
 keys = s3.get_bucket(userdata['security']['bucket'], validate=False)
 key = boto.s3.key.Key(keys)
+privatekey = boto.s3.key.Key(keys)
 
 if "provision" == sys.argv[1]:
         for username in userdata['security']['users']:
@@ -44,9 +45,17 @@ if "provision" == sys.argv[1]:
                 os.system(command)
 
                 key.key = user['email']
-                os.system("/bin/mkdir --mode=0755 -p /home/{0}/.ssh".format(username))
+                os.system("/bin/mkdir --mode=0700 -p /home/{0}/.ssh".format(username))
                 key.get_contents_to_filename(
                                                         "/home/{0}/.ssh/authorized_keys".format(username))
+                try:
+                        privatekey.key = "{0}.private".format(user['email'])
+                        privatekey.get_contents_to_filename(
+                                                        "/home/{0}/.ssh/id_rsa".format(username))
+                        os.system("chmod 600 /home/{0}/.ssh/id_rsa".format(username))
+                except:
+                        sys.stdout.write(" {0} has no private key to provision".format(username))
+
                 os.system("chown -R {0}.{0} /home/{0}".format(username))
 elif "remove" == sys.argv[1]:
         for username in userdata['security']['users']:
@@ -68,6 +77,15 @@ elif "update" == sys.argv[1]:
                                                         "/home/{0}/.ssh/authorized_keys".format(username))
                 except:
                         os.remove("/home/{0}/.ssh/authorized_keys".format(username))
+                try:
+                        privatekey.key = "{0}.private".format(user['email'])
+                        privatekey.exists()
+                        privatekey.get_contents_to_filename(
+                                                        "/home/{0}/.ssh/id_rsa".format(username))
+                        os.system("chmod 600 /home/{0}/.ssh/id_rsa".format(username))
+                except:
+                        # also remove
+                        os.remove("/home/{0}/.ssh/id_rsa".format(username))
 
                 os.system("chown -R {0}.{0} /home/{0}".format(username))
 else: