diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 1a49292b1..1127d74f0 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2159,6 +2159,7 @@ static int add_airtime_weight(struct hostapd_bss_config *bss, char *value)
 
 
 #ifdef CONFIG_SAE
+
 static int parse_sae_password(struct hostapd_bss_config *bss, const char *val)
 {
 	struct sae_password_entry *pw;
@@ -2262,6 +2263,38 @@ fail:
 	os_free(pw);
 	return -1;
 }
+
+
+static int parse_sae_password_file(struct hostapd_bss_config *bss,
+				   const char *fname)
+{
+	FILE *f;
+	char buf[500], *pos;
+	unsigned int line = 0;
+
+	f = fopen(fname, "r");
+	if (!f) {
+		wpa_printf(MSG_ERROR, "sae_password_file '%s' not found.",
+			   fname);
+		return -1;
+	}
+
+	while (fgets(buf, sizeof(buf), f)) {
+		pos = os_strchr(buf, '\n');
+		if (pos)
+			*pos = '\0';
+		line++;
+		if (parse_sae_password(bss, buf)) {
+			wpa_printf(MSG_ERROR,
+				   "Invalid SAE password at line %d in '%s'",
+				   line, fname);
+			return -1;
+		}
+	}
+
+	return 0;
+}
+
 #endif /* CONFIG_SAE */
 
 
@@ -4300,6 +4333,13 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 				   line);
 			return 1;
 		}
+	} else if (os_strcmp(buf, "sae_password_file") == 0) {
+		if (parse_sae_password_file(bss, pos) < 0) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: Invalid sae_password in file",
+				   line);
+			return 1;
+		}
 #endif /* CONFIG_SAE */
 	} else if (os_strcmp(buf, "vendor_elements") == 0) {
 		if (parse_wpabuf_hex(line, buf, &bss->vendor_elements, pos))
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 99da3db3f..8f6165a0b 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -2041,6 +2041,10 @@ own_ip_addr=127.0.0.1
 #sae_password=really secret|mac=ff:ff:ff:ff:ff:ff
 #sae_password=example secret|mac=02:03:04:05:06:07|id=pw identifier
 #sae_password=example secret|vlanid=3|id=pw identifier
+#
+# SAE passwords can also be read from a separate file in which each line
+# contains and entry in the same format as sae_password uses.
+#sae_password_file=/tc/hostapd.sae_passwords
 
 # SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold)
 # This parameter defines how many open SAE instances can be in progress at the