diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh
index 0e1a6dfd54..1d08fdbe38 100755
--- a/scripts/keygeneration/common.sh
+++ b/scripts/keygeneration/common.sh
@@ -23,6 +23,27 @@ function alg_to_keylen {
   echo $(( 1 << (10 + ($1 / 3)) ))
 }
 
+# Default alrogithms.
+ROOT_KEY_ALGOID=11
+RECOVERY_KEY_ALGOID=11
+
+FIRMWARE_DATAKEY_ALGOID=7
+DEV_FIRMWARE_DATAKEY_ALGOID=7
+
+RECOVERY_KERNEL_ALGOID=11
+INSTALLER_KERNEL_ALGOID=11
+KERNEL_SUBKEY_ALGOID=7
+KERNEL_DATAKEY_ALGOID=4
+
+# Keyblock modes determine which boot modes a signing key is valid for use
+# in verification.
+FIRMWARE_KEYBLOCK_MODE=7
+DEV_FIRMWARE_KEYBLOCK_MODE=6  # Only allow in dev mode.
+RECOVERY_KERNEL_KEYBLOCK_MODE=11
+KERNEL_KEYBLOCK_MODE=7  # Only allow in non-recovery.
+INSTALLER_KERNEL_KEYBLOCK_MODE=10  # Only allow in Dev + Recovery.
+
+
 # Emit .vbpubk and .vbprivk using given basename and algorithm
 # NOTE: This function also appears in ../../utility/dev_make_keypair. Making
 # the two implementations the same would require some common.sh, which is more
@@ -32,9 +53,10 @@ function alg_to_keylen {
 function make_pair {
   local base=$1
   local alg=$2
+  local key_version=${3:-1}
   local len=$(alg_to_keylen $alg)
 
-  echo "creating $base keypair..."
+  echo "creating $base keypair (version = $key_version)..."
 
   # make the RSA keypair
   openssl genrsa -F4 -out "${base}_${len}.pem" $len
@@ -48,7 +70,7 @@ function make_pair {
   vbutil_key \
     --pack "${base}.vbpubk" \
     --key "${base}_${len}.keyb" \
-    --version 1 \
+    --version  "${key_version}" \
     --algorithm $alg
 
   # wrap the private key
diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh
index d39dd6ee03..cf6ee97e32 100755
--- a/scripts/keygeneration/create_new_keys.sh
+++ b/scripts/keygeneration/create_new_keys.sh
@@ -9,26 +9,6 @@
 # Load common constants and functions.
 . "$(dirname "$0")/common.sh"
 
-# Mapping are in common.sh.
-ROOT_KEY_ALGOID=11
-RECOVERY_KEY_ALGOID=11
-
-FIRMWARE_DATAKEY_ALGOID=7
-DEV_FIRMWARE_DATAKEY_ALGOID=7
-
-RECOVERY_KERNEL_ALGOID=11
-INSTALLER_KERNEL_ALGOID=11
-KERNEL_SUBKEY_ALGOID=7
-KERNEL_DATAKEY_ALGOID=4
-
-# Keyblock modes determine which boot modes a signing key is valid for use
-# in verification.
-FIRMWARE_KEYBLOCK_MODE=7
-DEV_FIRMWARE_KEYBLOCK_MODE=6  # Only allow in dev mode.
-RECOVERY_KERNEL_KEYBLOCK_MODE=11
-KERNEL_KEYBLOCK_MODE=7  # Only allow in non-recovery.
-INSTALLER_KERNEL_KEYBLOCK_MODE=10  # Only allow in Dev + Recovery.
-
 # Create the normal keypairs
 make_pair root_key                 $ROOT_KEY_ALGOID
 make_pair firmware_data_key        $FIRMWARE_DATAKEY_ALGOID
diff --git a/scripts/keygeneration/increment_kernel_subkey_and_key.sh b/scripts/keygeneration/increment_kernel_subkey_and_key.sh
new file mode 100755
index 0000000000..36d30c8cb3
--- /dev/null
+++ b/scripts/keygeneration/increment_kernel_subkey_and_key.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script to increment kernel subkey and datakey for firmware updates.
+# Used when revving versions for a firmware update.
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+# Abort on errors.
+set -e
+
+# File to read current versions from.
+VERSION_FILE="key.versions"
+
+# ARGS: <version_type>
+get_version() {
+  local version_type=$1
+  version=$(sed -n "s#^${version_type}=\(.*\)#\1#pg" ${VERSION_FILE})
+  echo $version
+}
+
+# Make backups of existing keys and keyblocks that will be revved.
+# Backup format:
+# for keys: <key_name>.v<version>
+# for keyblocks: <keyblock_name>.v<datakey version>.v<subkey version>
+# Args: SUBKEY_VERSION DATAKEY_VERSION
+backup_existing_kernel_keys() {
+  subkey_version=$1
+  datakey_version=$2
+  # --no-clobber to prevent accidentally overwriting existing
+  # backups.
+  mv --no-clobber kernel_subkey.vbprivk{,".v${subkey_version}"}
+  mv --no-clobber kernel_subkey.vbpubk{,".v${subkey_version}"}
+  mv --no-clobber kernel_data_key.vbprivk{,".v${datakey_version}"}
+  mv --no-clobber kernel_data_key.vbpubk{,".v${datakey_version}"}
+  mv --no-clobber kernel.keyblock{,".v${datakey_version}.v${subkey_version}"}
+}
+
+# Write new key version file with the updated key versions.
+# Args: FIRMWARE_KEY_VERSION FIRMWARE_VERSION KERNEL_KEY_VERSION KERNEL_VERSION
+write_updated_version_file() {
+  local firmware_key_version=$1
+  local firmware_version=$2
+  local kernel_key_version=$3
+  local kernel_version=$4
+
+  cat > ${VERSION_FILE} <<EOF
+firmware_key_version=${firmware_key_version}
+firmware_version=${firmware_version}
+kernel_key_version=${kernel_key_version}
+kernel_version=${kernel_version}
+EOF
+}
+  
+
+main() {
+  current_fkey_version=$(get_version "firmware_key_version")
+  # Firmware version is the kernel subkey version.
+  current_ksubkey_version=$(get_version "firmware_version")
+  # Kernel data key version is the kernel key version.
+  current_kdatakey_version=$(get_version "kernel_key_version")
+  current_kernel_version=$(get_version "kernel_version")
+
+  cat <<EOF
+Current Firmware key version: ${current_fkey_version}
+Current Firmware version: ${current_ksubkey_version}
+Current Kernel key version: ${current_kdatakey_version}
+Current Kernel version: ${current_kernel_version}
+EOF
+
+  backup_existing_kernel_keys $current_ksubkey_version $current_kdatakey_version
+
+  new_ksubkey_version=$(( current_ksubkey_version + 1 ))
+  new_kdatakey_version=$(( current_kdatakey_version + 1 ))
+
+  if [ $new_kdatakey_version -gt 65535 ] || [ $new_kdatakey_version -gt 65535 ];
+  then
+    echo "Version overflow!"
+    exit 1
+  fi
+
+  cat <<EOF 
+Generating new kernel subkey, data keys and new kernel keyblock.
+
+New Firmware version (due to kernel subkey change): ${new_ksubkey_version}.
+New Kernel key version (due to kernel datakey change): ${new_kdatakey_version}.
+EOF
+  make_pair kernel_subkey $KERNEL_SUBKEY_ALGOID $new_ksubkey_version
+  make_pair kernel_data_key $KERNEL_DATAKEY_ALGOID $new_kdatakey_version
+  make_keyblock kernel $KERNEL_KEYBLOCK_MODE kernel_data_key kernel_subkey
+
+  write_updated_version_file $current_fkey_version $new_ksubkey_version \
+    $new_kdatakey_version $current_kernel_version
+}
+
+main $@
diff --git a/scripts/keygeneration/key.versions b/scripts/keygeneration/key.versions
new file mode 100644
index 0000000000..59d8748eb7
--- /dev/null
+++ b/scripts/keygeneration/key.versions
@@ -0,0 +1,4 @@
+firmware_key_version=1
+firmware_version=1
+kernel_key_version=1
+kernel_version=1