diff --git a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/CloudInitHandler.java b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/CloudInitHandler.java
index c4e817b82c5..4c951510e38 100644
--- a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/CloudInitHandler.java
+++ b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/CloudInitHandler.java
@@ -11,6 +11,8 @@
 import java.util.Map;
 import java.util.UUID;
 import java.util.function.Supplier;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang.StringUtils;
@@ -41,6 +43,7 @@ public class CloudInitHandler {
     private Map<String, Object> networkData;
 
     private final String passwordKey = "password";
+    private static final Pattern PASSWORD_PATTERN = Pattern.compile("(password: *)'.*'");
 
     public List<EngineMessage> validate(VmInit vmInit) {
         // validate only if 'Initial Run' parameters were specified
@@ -118,6 +121,10 @@ public Map<String, byte[]> getFileData()
             String newStr = String.format("\"%s\" : ***", passwordKey);
             metaDataStr = metaDataStr.replace(oldStr, newStr);
         }
+        if (userDataStr.contains(passwordKey)) {
+            Matcher matcher = PASSWORD_PATTERN.matcher(userDataStr);
+            userDataStr = matcher.replaceAll("$1'***'");
+        }
         log.debug("cloud-init meta-data:\n{}", metaDataStr);
         log.debug("cloud-init user-data:\n{}", userDataStr);
         return files;