diff --git a/package/base-files/files/lib/upgrade/nand.sh b/package/base-files/files/lib/upgrade/nand.sh
index ca302557c8e..22f9cce42a5 100644
--- a/package/base-files/files/lib/upgrade/nand.sh
+++ b/package/base-files/files/lib/upgrade/nand.sh
@@ -217,6 +217,16 @@ nand_upgrade_prepare_ubi() {
 	[ "$root_ubivol" ] && ubirmvol /dev/$root_ubidev -N "$CI_ROOTPART" || :
 	[ "$data_ubivol" ] && ubirmvol /dev/$root_ubidev -N rootfs_data || :
 
+	# create provisioning vol
+	if [ "${UPGRADE_OPT_ADD_PROVISIONING:-0}" -gt 0 ]; then
+		[ -n "$(nand_find_volume $root_ubidev provisioning)" ] || {
+			if ! ubimkvol /dev/$root_ubidev -N provisioning -s 131072; then
+				echo "cannot create provisioning volume"
+				return 1
+			fi
+		}
+	fi
+
 	# create kernel vol
 	if [ -n "$kernel_length" ]; then
 		if ! ubimkvol /dev/$kern_ubidev -N "$CI_KERNPART" -s $kernel_length; then
diff --git a/package/base-files/files/sbin/sysupgrade b/package/base-files/files/sbin/sysupgrade
index 69bdad51b0c..9b993a72f29 100755
--- a/package/base-files/files/sbin/sysupgrade
+++ b/package/base-files/files/sbin/sysupgrade
@@ -11,6 +11,7 @@ INSTALLED_PACKAGES=${ETCBACKUP_DIR}/installed_packages.txt
 COMMAND=/lib/upgrade/do_stage2
 
 # File-local globals
+ADD_PROVISIONING=0
 SAVE_OVERLAY=0
 SAVE_OVERLAY_PATH=
 SAVE_PARTITIONS=1
@@ -45,6 +46,7 @@ while [ -n "$1" ]; do
 		-c) SAVE_OVERLAY=1 SAVE_OVERLAY_PATH=/etc;;
 		-o) SAVE_OVERLAY=1 SAVE_OVERLAY_PATH=/;;
 		-p) SAVE_PARTITIONS=0;;
+		-P) ADD_PROVISIONING=1;;
 		-k) SAVE_INSTALLED_PKGS=1;;
 		-u) SKIP_UNCHANGED=1;;
 		-b|--create-backup) CONF_BACKUP="$2" NEED_IMAGE=1; shift;;
@@ -68,7 +70,7 @@ done
 print_help() {
 	cat <<EOF
 Usage: $0 [<upgrade-option>...] <image file or URL>
-       $0 [-q] [-i] [-c] [-u] [-o] [-k] <backup-command> <file>
+       $0 [-q] [-i] [-c] [-u] [-o] [-k] [-P] <backup-command> <file>
 
 upgrade-option:
 	-f <config>  restore configuration from .tar.gz (file or url)
@@ -82,6 +84,8 @@ upgrade-option:
 	-k           include in backup a list of current installed packages at
 	             $INSTALLED_PACKAGES
 	-s           stay on current partition (for dual firmware devices)
+	-P           create provisioning partition to keep sensitive data across
+	             factory resets.
 	-T | --test
 	             Verify image and config .tar.gz but do not actually flash.
 	-F | --force
@@ -427,6 +431,7 @@ else
 	json_add_string command "$COMMAND"
 	json_add_object options
 	json_add_int save_partitions "$SAVE_PARTITIONS"
+	json_add_int add_provisioning "$ADD_PROVISIONING"
 	[ $USE_CURR_PART -eq 1 ] && json_add_boolean use_curr_part 1
 	json_close_object