diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb
index dfe67b5a9..7fb2bdc45 100644
--- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb
+++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb
@@ -4,13 +4,17 @@ SUMMARY = "Trustfence initramfs required files"
 LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
 
-SRC_URI = "file://trustfence-initramfs-init"
+SRC_URI = " \
+    file://trustfence-initramfs-init \
+    file://trustfence-install.sh \
+"
 
 S = "${WORKDIR}"
 
 do_install() {
-	install -d ${D}${sbindir}
+	install -d ${D}${base_sbindir}
 	install -m 0755 trustfence-initramfs-init ${D}/init
+	install -m 0755 trustfence-install.sh ${D}${base_sbindir}
 }
 
 # Do not create debug/devel packages
diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init
index 441635f73..899f5c4e0 100644
--- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init
+++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init
@@ -31,10 +31,13 @@ mkdir -p /var/run && rngd
 
 for arg in $(cat /proc/cmdline); do
 	case "${arg}" in
-		init=*|rescue=1|root=*) eval ${arg};;
+		init=*|rescue=1|root=*|trustfence_install=*) eval ${arg};;
 	esac
 done
 
+# Translate "PARTUUID=..." to real device
+root="$(findfs ${root})"
+
 # Jump to a rescue shell if requested
 if [ -n "${rescue}" ]; then
 	# Expand console and respawn if exited
@@ -44,8 +47,14 @@ if [ -n "${rescue}" ]; then
 	done
 fi
 
-# Translate "PARTUUID=..." to real device
-root="$(findfs ${root})"
+# Run install script if "trustfence_install" kernel parameter exists
+if [ -n "${trustfence_install}" ]; then
+	trustfence-install.sh ${trustfence_install} ${root}
+	sleep 1
+	echo ">> Rebooting the system"
+	sleep 1
+	sync && reboot -f
+fi
 
 # Open LUKS encrypted device
 if trustfence-tool ${root} cryptroot; then
diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-install.sh b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-install.sh
new file mode 100644
index 000000000..4b83e3caf
--- /dev/null
+++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-install.sh
@@ -0,0 +1,89 @@
+#!/bin/sh
+#===============================================================================
+#
+#  trustfence-install.sh
+#
+#  Copyright (C) 2016 by Digi International Inc.
+#  All rights reserved.
+#
+#  This program is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU General Public License version 2 as published by
+#  the Free Software Foundation.
+#
+#
+#  !Description: Wrapper script for initial deployment of encrypted rootfs
+#
+#  The script gathers the needed information from the 'trustfence_install'
+#  kernel command line parameter with following syntax:
+#
+#    trustfence_install="source:serverip:filename"
+#      source   -> 'tftp' | <block-device>
+#      serverip -> <tftp-ip> | ''               (serverip or empty if local)
+#      filename -> <image-filename>             (path relative to 'source')
+#
+#  For 'tftp' mode the kernel IP autoconfig may be used to bring the network
+#  interface up, with 'ip' kernel parameter. Examples:
+#
+#    ip=<static-ip>:::<netmask>::eth0:off
+#    ip=dhcp
+#
+#  This script is meant for testing purposes. It's NOT a stable API and may
+#  be subject to change.
+#
+#===============================================================================
+
+set -o pipefail
+
+TF_INSTALL_INFO="${1}"
+TF_ROOTFS_DEV="${2}"
+
+error() {
+	[ "${#}" != "0" ] && printf "\n[ERROR]: %s\n\n" "${1}"
+	exit 1
+}
+
+# Parse trustfence_install kernel parameter
+IFS=":" read SOURCE SERVERIP FILENAME <<_EOF_
+${TF_INSTALL_INFO}
+_EOF_
+
+# Validate command line arguments
+if [ -z "${SOURCE}" ] || [ -z "${FILENAME}" ] || { [ "${SOURCE}" = "tftp" ] && [ -z "${SERVERIP}" ]; }; then
+	error "wrong 'trustfence_install' parameter: ${TF_INSTALL_INFO}"
+elif ! [ -b "${TF_ROOTFS_DEV}" ]; then
+	error "${TF_ROOTFS_DEV} is not a block device"
+fi
+
+# Generate random key, initialize the partition and open the virtual mapped device
+trustfence-tool --format --newkey "${TF_ROOTFS_DEV}" cryptroot
+if [ "${?}" != "0" ]; then
+	error "trustfence-tool: open mapped device"
+fi
+
+# Install image to the encrypted mapped device
+if [ "${SOURCE}" = "tftp" ]; then
+	printf "\nInstalling ${FILENAME} from TFTP\n\n"
+	tftp -g -l - -r "${FILENAME}" "${SERVERIP}" | pv -tprebW | dd of=/dev/mapper/cryptroot 2>/dev/null
+	if [ "${?}" != "0" ]; then
+		error "write ${FILENAME}"
+	fi
+elif [ -b "${SOURCE}" ]; then
+	printf "\nInstalling ${FILENAME} from local media\n\n"
+	MOUNTPOINT="/media/$(basename ${SOURCE})"
+	FSTYPE="$(blkid ${SOURCE} | sed -e 's,.*TYPE="\([^"]\+\)".*,\1,g')"
+	mkdir -p ${MOUNTPOINT}
+	mount -r ${FSTYPE:+-t ${FSTYPE}} ${SOURCE} ${MOUNTPOINT}
+	pv -tprebW ${MOUNTPOINT}/${FILENAME} | dd of=/dev/mapper/cryptroot 2>/dev/null
+	if [ "${?}" != "0" ]; then
+		error "write ${FILENAME}"
+	fi
+	umount ${SOURCE}
+else
+	error "${SOURCE} is neither a block device nor 'tftp'"
+fi
+
+echo ""
+echo "#######################"
+echo "#  Install completed  #"
+echo "#######################"
+echo ""