diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml
index 0a92987..9ab7a53 100644
--- a/roles/debian-base/defaults/main.yaml
+++ b/roles/debian-base/defaults/main.yaml
@@ -1,7 +1,5 @@
-root_password: Pa$$w0rd
 vn_witness: false
 default_user: user
-root_password: Pa$$w0rd
 fail2ban:
   email: "{{ sysadmin_mail }}"
   bantime: 600
diff --git a/roles/debian-base/tasks/root.yml b/roles/debian-base/tasks/root.yml
index b00d8f2..0f4ce1d 100644
--- a/roles/debian-base/tasks/root.yml
+++ b/roles/debian-base/tasks/root.yml
@@ -1,30 +1,36 @@
-- name: Generate a random root password
-  set_fact:
-    root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}"
-- name: Save root password into Passbolt
-  set_fact:
-    msg: >
-      {{
-        lookup(passbolt, inventory_hostname_short,
-          username='root',
-          password=root_password,
-          uri='ssh://'+hostname_fqdn
-        )
-      }}
-  environment:
-    PASSBOLT_CREATE_NEW_RESOURCE: true
+- name: Generate root password
   when: vn_witness
-- name: Save the root password to file
-  copy:
-    content: "{{ root_password }}\n"
-    dest: /root/root_password.txt
-    owner: root
-    group: root
-    mode: '0600'
-  when: vn_witness
-  register: local
-- name: Change root password
-  user:
-    name: root
-    password: "{{ root_password | password_hash('sha512') }}"
-  when: local.changed
+  block:
+    - name: Search root password into Passbolt
+      set_fact:
+        qst: >
+          {{
+            lookup(passbolt, inventory_hostname_short,
+              username='root',
+              uri='ssh://'+hostname_fqdn
+            )
+          }}
+      ignore_errors: true
+- name: Generate and save root password if not found in Passbolt
+  when: qst is not defined
+  block:
+    - name: Generate a random root password
+      set_fact:
+        root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}"
+    - name: Save root password into Passbolt
+      set_fact:
+        msg: >
+          {{
+            lookup(passbolt, inventory_hostname_short,
+              username='root',
+              password=root_password,
+              uri='ssh://'+hostname_fqdn
+            )
+          }}
+      environment:
+        PASSBOLT_CREATE_NEW_RESOURCE: true
+    - name: Change root password
+      user:
+        name: root
+        password: "{{ root_password | password_hash('sha512') }}"
+