diff --git a/cdist/conf/type/__ssh_authorized_keys/man.rst b/cdist/conf/type/__ssh_authorized_keys/man.rst
index dac6adeb..e227aede 100644
--- a/cdist/conf/type/__ssh_authorized_keys/man.rst
+++ b/cdist/conf/type/__ssh_authorized_keys/man.rst
@@ -27,7 +27,16 @@ key
    Must be a string containing the ssh keytype, base 64 encoded key and
    optional trailing comment which shall be added to the given
    authorized_keys file.
-   Can be specified multiple times.
+
+   Can be specified multiple times. Either --key or --keyfile must be
+   specified.
+
+keyfile
+   A file containing one or more SSH keys (one per line, just like the
+   regular authorized_keys file).
+
+   Can be specified multiple times. Either --key or --keyfile must be
+   specified.
 
 
 OPTIONAL PARAMETERS
diff --git a/cdist/conf/type/__ssh_authorized_keys/manifest b/cdist/conf/type/__ssh_authorized_keys/manifest
index b319316b..b0a585f1 100755
--- a/cdist/conf/type/__ssh_authorized_keys/manifest
+++ b/cdist/conf/type/__ssh_authorized_keys/manifest
@@ -23,6 +23,11 @@ owner="$(cat "$__object/parameter/owner" 2>/dev/null || echo "$__object_id")"
 state="$(cat "$__object/parameter/state" 2>/dev/null)"
 file="$(cat "$__object/explorer/file")"
 
+if [ ! -f "$__object/parameter/key" -a ! -f "$__object/parameter/keyfile" ]; then
+   echo "At least one of --key or --keyfile must be specified" >&2
+   exit 1
+fi
+
 if [ ! -f "$__object/parameter/nofile" ] && [ -z "$file" ]
 then
 	echo "Cannot determine path of authorized_keys file" >&2
@@ -59,7 +64,17 @@ _type_and_key() {
    echo "$1" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }'
 }
 
-while read -r key; do
+(
+   if [ -f "$__object/parameter/key" ]; then
+      cat "$__object/parameter/key"
+   fi
+
+   if [ -f "$__object/parameter/keyfile" ]; then
+      while read filename; do
+         cat "$filename"
+      done < "$__object/parameter/keyfile"
+   fi
+) | while read -r key; do
    type_and_key="$( _type_and_key "$key" )"
    object_id="$(_cksum "$file")-$(_cksum "$type_and_key")"
    set -- "$object_id"
@@ -75,7 +90,7 @@ while read -r key; do
    fi
    # Ensure __ssh_authorized_key does not read stdin
    __ssh_authorized_key "$@" < /dev/null
-done < "$__object/parameter/key"
+done
 
 if [ -f "$__object/parameter/remove-unknown" ] &&
     [ -s "$__object/explorer/keys" ]
diff --git a/cdist/conf/type/__ssh_authorized_keys/parameter/optional_multiple b/cdist/conf/type/__ssh_authorized_keys/parameter/optional_multiple
index 01925a15..f9a2d06b 100644
--- a/cdist/conf/type/__ssh_authorized_keys/parameter/optional_multiple
+++ b/cdist/conf/type/__ssh_authorized_keys/parameter/optional_multiple
@@ -1 +1,3 @@
 option
+key
+keyfile
diff --git a/cdist/conf/type/__ssh_authorized_keys/parameter/required_multiple b/cdist/conf/type/__ssh_authorized_keys/parameter/required_multiple
deleted file mode 100644
index 06bfde49..00000000
--- a/cdist/conf/type/__ssh_authorized_keys/parameter/required_multiple
+++ /dev/null
@@ -1 +0,0 @@
-key