diff --git a/authority/authority.go b/authority/authority.go
index 28af693c..1b060ef8 100644
--- a/authority/authority.go
+++ b/authority/authority.go
@@ -11,24 +11,23 @@ import (
 	"sync"
 	"time"
 
-	"github.com/smallstep/certificates/cas"
-	"github.com/smallstep/certificates/scep"
-	"go.step.sm/linkedca"
-
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/admin"
 	adminDBNosql "github.com/smallstep/certificates/authority/admin/db/nosql"
 	"github.com/smallstep/certificates/authority/administrator"
 	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
+	"github.com/smallstep/certificates/cas"
 	casapi "github.com/smallstep/certificates/cas/apiv1"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/kms"
 	kmsapi "github.com/smallstep/certificates/kms/apiv1"
 	"github.com/smallstep/certificates/kms/sshagentkms"
+	"github.com/smallstep/certificates/scep"
 	"github.com/smallstep/certificates/templates"
 	"github.com/smallstep/nosql"
 	"go.step.sm/crypto/pemutil"
+	"go.step.sm/linkedca"
 	"golang.org/x/crypto/ssh"
 )
 
@@ -474,7 +473,7 @@ func (a *Authority) init() error {
 		if err != nil {
 			return admin.WrapErrorISE(err, "error loading provisioners to initialize authority")
 		}
-		if len(provs) == 0 {
+		if len(provs) == 0 && !strings.EqualFold(a.config.AuthorityConfig.DeploymentType, "linked") {
 			// Create First Provisioner
 			prov, err := CreateFirstProvisioner(context.Background(), a.adminDB, a.config.Password)
 			if err != nil {
diff --git a/authority/provisioners.go b/authority/provisioners.go
index beb4f9ed..7e02126f 100644
--- a/authority/provisioners.go
+++ b/authority/provisioners.go
@@ -14,6 +14,7 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
 	step "go.step.sm/cli-utils/config"
+	"go.step.sm/cli-utils/ui"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/linkedca"
 	"gopkg.in/square/go-jose.v2/jwt"
@@ -238,6 +239,14 @@ func (a *Authority) RemoveProvisioner(ctx context.Context, id string) error {
 }
 
 func CreateFirstProvisioner(ctx context.Context, db admin.DB, password string) (*linkedca.Provisioner, error) {
+	if password == "" {
+		pass, err := ui.PromptPasswordGenerate("Please enter the password to encrypt your first provisioner, leave empty and we'll generate one")
+		if err != nil {
+			return nil, err
+		}
+		password = string(pass)
+	}
+
 	jwk, jwe, err := jose.GenerateDefaultKeyPair([]byte(password))
 	if err != nil {
 		return nil, admin.WrapErrorISE(err, "error generating JWK key pair")