diff --git a/agent/azure.c b/agent/azure.c
index ace0460..604433f 100644
--- a/agent/azure.c
+++ b/agent/azure.c
@@ -720,6 +720,21 @@ azure_getovfenv(struct system_config *sc)
 			log_debug("%s: password failed", __func__);
 			goto done;
 		}
+
+		free(xe->xe_tag);
+		free(xe->xe_data);
+		explicit_bzero(xe->xe_data, xe->xe_datalen);
+
+		/* Replace unencrypted password with hash */
+		xe->xe_tag = strdup("UserPasswordHash");
+		xe->xe_data = strdup(sc->sc_password);
+		xe->xe_datalen = strlen(sc->sc_password);
+	} else if ((xe = xml_findl(&xp->xe_head,
+	    "UserPasswordHash", NULL)) != NULL) {
+		if ((sc->sc_password = strdup(xe->xe_data)) != NULL) {
+			log_debug("%s: password hash failed", __func__);
+			goto done;
+		}
 	}
 
 	if ((fd = open(sc->sc_ovfenv, O_WRONLY|O_CREAT|O_TRUNC, 0600)) == -1 ||
diff --git a/agent/xml.c b/agent/xml.c
index a67bfa4..7a29f8d 100644
--- a/agent/xml.c
+++ b/agent/xml.c
@@ -239,8 +239,10 @@ xml_end_element(void *data, const char *el)
 		fatal("missing element");
 	if (strcmp(xe->xe_tag, el) != 0)
 		fatal("unexpected closing tag: %s <> %s", el, xe->xe_tag);
-	if (xe->xe_data == NULL)
+	if (xe->xe_data == NULL) {
 		xe->xe_data = strdup("");
+		xe->xe_datalen = 0;
+	}
 
 	env->ox_cur = xe->xe_parent;
 	env->ox_depth--;