diff --git a/group_vars/debian.yml b/group_vars/debian.yml
index 186d671..4b3275a 100644
--- a/group_vars/debian.yml
+++ b/group_vars/debian.yml
@@ -5,3 +5,6 @@ glob_apt:
   extra_repositories: []
   pin:
     bullseye: []
+
+glob_root:
+  passwd_hash: '{{ vault.root_passwd_hash }}'
diff --git a/plays/base.yml b/plays/base.yml
index 6a0d6c3..599c3c4 100755
--- a/plays/base.yml
+++ b/plays/base.yml
@@ -1,6 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
 
+- import_playbook: root.yml
 - import_playbook: apt.yml
 - import_playbook: ntp.yml
 - import_playbook: ldap-client.yml
diff --git a/plays/root.yml b/plays/root.yml
new file mode 100755
index 0000000..835a7c8
--- /dev/null
+++ b/plays/root.yml
@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: debian
+  vars:
+    root: "{{ glob_root | default({}) | combine(loc_root | default({})) }}"
+  roles:
+    - root
diff --git a/roles/root/tasks/main.yml b/roles/root/tasks/main.yml
new file mode 100644
index 0000000..721309f
--- /dev/null
+++ b/roles/root/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Deploys root password hash
+  replace:
+    path: /etc/shadow
+    regexp: '^root:[^:]*:'
+    replace: 'root:{{ root.passwd_hash }}:'