diff --git a/live/root/etc/systemd/system/agama-password-cmdline.service b/live/root/etc/systemd/system/agama-password-cmdline.service
index 3176560d17..72b9413350 100644
--- a/live/root/etc/systemd/system/agama-password-cmdline.service
+++ b/live/root/etc/systemd/system/agama-password-cmdline.service
@@ -1,5 +1,6 @@
 [Unit]
 Description=Set the Agama/root password from kernel command line
+
 # before starting the SSH and Agama server so they use the new password
 Before=sshd.service
 Before=agama-web-server.service
diff --git a/live/root/etc/systemd/system/agama-password-iso.service b/live/root/etc/systemd/system/agama-password-iso.service
new file mode 100644
index 0000000000..c0f9a12ffd
--- /dev/null
+++ b/live/root/etc/systemd/system/agama-password-iso.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=Set the Agama/root password from ISO application area
+
+# before starting the SSH and Agama server so they use the new password
+Before=sshd.service
+Before=agama-web-server.service
+
+# before the other password setting methods so they can override it
+Before=agama-password-cmdline.service
+Before=agama-password-dialog.service
+Before=agama-password-systemd.service
+
+[Service]
+ExecStart=agama-password --iso
+Type=oneshot
+
+[Install]
+WantedBy=default.target
diff --git a/live/root/usr/bin/agama-password b/live/root/usr/bin/agama-password
index aec52d7c02..690f800025 100755
--- a/live/root/usr/bin/agama-password
+++ b/live/root/usr/bin/agama-password
@@ -68,6 +68,46 @@ ask_password_systemd() {
   fi
 }
 
+# check if the root password is present in the ISO file metadata
+password_from_iso() {
+  # get the partition where the live ISO is mounted
+  PARTITION=$(blkid -L agama-live)
+
+  if [ -z "$PARTITION" ]; then
+    echo "Live ISO partition not found, skipping password configuration"
+    exit 0
+  fi
+
+  # get the parent device name for the partition (/dev/sda2 -> /dev/sda),
+  # for some devices just removing the trailing number does not work
+  DEVICE=$(lsblk --noheadings --output PKNAME "$PARTITION")
+
+  # if there is no parent device use the device itself (e.g. /dev/sr0)
+  if [ -z "$DEVICE" ]; then
+    DEVICE="$PARTITION"
+  else
+    # add the /dev/ prefix
+    DEVICE="/dev/$DEVICE"
+  fi
+
+  echo "Reading password from $DEVICE..."
+
+  # run tagmedia and extract the password value
+  TAG=$(tagmedia "$DEVICE" | grep "^agama_password = " | sed -e "s/^agama_password = //")
+
+  if [ -z "$TAG" ]; then
+    echo "Password not found at $DEVICE"
+    exit 0
+  fi
+
+  if PWD=$(echo "$TAG" | base64 -d); then
+    usermod -p "$PWD" root
+  else
+    echo "Base64 decoding of the password failed!"
+    exit 1
+  fi
+}
+
 if [ "$1" = "--kernel" ]; then
   # get the password from the kernel command line
   PWD=$(awk -F 'agama.password=' '{sub(/ .*$/, "", $2); print $2}' < /proc/cmdline)
@@ -83,4 +123,6 @@ elif [ "$1" = "--dialog" ]; then
   ask_password
 elif [ "$1" = "--systemd" ]; then
   ask_password_systemd
+elif [ "$1" = "--iso" ]; then
+  password_from_iso
 fi
diff --git a/live/src/config.sh b/live/src/config.sh
index 014ceb8363..a95dc29b06 100644
--- a/live/src/config.sh
+++ b/live/src/config.sh
@@ -20,6 +20,7 @@ systemctl enable agama.service
 systemctl enable agama-web-server.service
 systemctl enable agama-password-cmdline.service
 systemctl enable agama-password-dialog.service
+systemctl enable agama-password-iso.service
 systemctl enable agama-password-systemd.service
 systemctl enable agama-auto.service
 systemctl enable agama-hostname.service