diff --git a/scripts/image_signing/resign_firmwarefd.sh b/scripts/image_signing/resign_firmwarefd.sh
index 42412ef49c..b5d1cf2388 100755
--- a/scripts/image_signing/resign_firmwarefd.sh
+++ b/scripts/image_signing/resign_firmwarefd.sh
@@ -54,9 +54,9 @@
 set -e
 
 # Check arguments
-if [ $# -lt 5 ] || [ $# -gt 6 ]; then
+if [ $# -lt 7 ] || [ $# -gt 8 ]; then
   echo "Usage: $PROG src_fd dst_fd firmware_datakey firmware_keyblock"\
-   "kernel_subkey [version]"
+   "dev_firmware_datakey dev_firmware_keyblock kernel_subkey [version]"
   exit 1
 fi
 
@@ -70,8 +70,10 @@ SRC_FD=$1
 DST_FD=$2
 FIRMWARE_DATAKEY=$3
 FIRMWARE_KEYBLOCK=$4
-KERNEL_SUBKEY=$5
-VERSION=$6
+DEV_FIRMWARE_DATAKEY=$5
+DEV_FIRMWARE_KEYBLOCK=$6
+KERNEL_SUBKEY=$7
+VERSION=$8
 
 if [ -z $VERSION ]; then
   VERSION=1
@@ -105,15 +107,16 @@ done
 temp_fwimage=$(make_temp_file)
 temp_out_vb=$(make_temp_file)
 
-# Extract out Firmware A data and generate signature using the right keys
+# Extract out Firmware A data and generate signature using the right keys.
+# Firmware A is the dev firmware.
 dd if="${SRC_FD}" of="${temp_fwimage}" skip="${fwA_offset}" bs=1 \
   count="${fwA_size}"
 
 echo "Re-calculating Firmware A vblock"
 vbutil_firmware \
   --vblock "${temp_out_vb}" \
-  --keyblock "${FIRMWARE_KEYBLOCK}" \
-  --signprivate "${FIRMWARE_DATAKEY}" \
+  --keyblock "${DEV_FIRMWARE_KEYBLOCK}" \
+  --signprivate "${DEV_FIRMWARE_DATAKEY}" \
   --version "${VERSION}" \
   --fv "${temp_fwimage}" \
   --kernelkey "${KERNEL_SUBKEY}"
@@ -123,7 +126,7 @@ cp "${SRC_FD}" "${DST_FD}"
 dd if="${temp_out_vb}" of="${DST_FD}" seek="${fwA_vblock_offset}" bs=1 \
   count="${fwA_vblock_size}" conv=notrunc
 
-# Repeat for firmware B
+# Firmware B is the normal firmware.
 dd if="${SRC_FD}" of="${temp_fwimage}" skip="${fwB_offset}" bs=1 \
   count="${fwB_size}"
 echo "Re-calculating Firmware B vblock"
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index da9db0623f..12014da6be 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -261,6 +261,8 @@ resign_firmware_payload() {
   ${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_outfd} ${shellball_dir}/bios.bin \
     ${KEY_DIR}/firmware_data_key.vbprivk \
     ${KEY_DIR}/firmware.keyblock \
+    ${KEY_DIR}/dev_firmware_data_key.vbprivk \
+    ${KEY_DIR}/dev_firmware.keyblock \
     ${KEY_DIR}/kernel_subkey.vbpubk \
     ${FIRMWARE_VERSION}
 
diff --git a/tests/devkeys/create_new_keys.sh b/scripts/keygeneration/common.sh
similarity index 58%
rename from tests/devkeys/create_new_keys.sh
rename to scripts/keygeneration/common.sh
index 311d92439c..0e1a6dfd54 100755
--- a/tests/devkeys/create_new_keys.sh
+++ b/scripts/keygeneration/common.sh
@@ -1,11 +1,11 @@
 #!/bin/bash
-# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
-#
-# Generate .vbpubk and .vbprivk pairs for use by developer builds. These should
-# be exactly like the real keys except that the private keys aren't secret.
 
+# Common key generation functions.
+
+SCRIPT_DIR="$(dirname "$0")"
 
 # 0 = (RSA1024 SHA1)
 # 1 = (RSA1024 SHA256)
@@ -90,38 +90,3 @@ function make_keyblock {
 }
 
 
-
-# Create the normal keypairs
-make_pair root_key                 11
-make_pair firmware_data_key        7
-make_pair dev_firmware_data_key    7
-make_pair kernel_subkey            7
-make_pair kernel_data_key          4
-
-# Create the recovery and factory installer keypairs
-make_pair recovery_key             11
-make_pair recovery_kernel_data_key 11
-make_pair installer_kernel_data_key 11
-
-# Create the firmware keyblock for use only in Normal mode. This is redundant,
-# since it's never even checked during Recovery mode.
-make_keyblock firmware 7 firmware_data_key root_key
-
-# Create the dev firmware keyblock for use only in Developer mode.
-make_keyblock dev_firmware 6 dev_firmware_data_key root_key
-
-# Create the recovery kernel keyblock for use only in Recovery mode.
-make_keyblock recovery_kernel 11 recovery_kernel_data_key recovery_key
-
-# Create the normal kernel keyblock for use only in Normal mode.
-make_keyblock kernel 7 kernel_data_key kernel_subkey
-
-# Create the installer keyblock for use in Developer + Recovery mode
-# For use in Factory Install and Developer Mode install shims.
-make_keyblock installer_kernel 10 installer_kernel_data_key recovery_key
-
-# CAUTION: The public parts of most of these blobs must be compiled into the
-# firmware, which is built separately (and some of which can't be changed after
-# manufacturing). If you update these keys, you must coordinate the changes
-# with the BIOS people or you'll be unable to boot the resulting images.
-
diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh
new file mode 100755
index 0000000000..d39dd6ee03
--- /dev/null
+++ b/scripts/keygeneration/create_new_keys.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# Generate .vbpubk and .vbprivk pairs for use by developer builds. These should
+# be exactly like the real keys except that the private keys aren't secret.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common.sh"
+
+# Mapping are in common.sh.
+ROOT_KEY_ALGOID=11
+RECOVERY_KEY_ALGOID=11
+
+FIRMWARE_DATAKEY_ALGOID=7
+DEV_FIRMWARE_DATAKEY_ALGOID=7
+
+RECOVERY_KERNEL_ALGOID=11
+INSTALLER_KERNEL_ALGOID=11
+KERNEL_SUBKEY_ALGOID=7
+KERNEL_DATAKEY_ALGOID=4
+
+# Keyblock modes determine which boot modes a signing key is valid for use
+# in verification.
+FIRMWARE_KEYBLOCK_MODE=7
+DEV_FIRMWARE_KEYBLOCK_MODE=6  # Only allow in dev mode.
+RECOVERY_KERNEL_KEYBLOCK_MODE=11
+KERNEL_KEYBLOCK_MODE=7  # Only allow in non-recovery.
+INSTALLER_KERNEL_KEYBLOCK_MODE=10  # Only allow in Dev + Recovery.
+
+# Create the normal keypairs
+make_pair root_key                 $ROOT_KEY_ALGOID
+make_pair firmware_data_key        $FIRMWARE_DATAKEY_ALGOID
+make_pair dev_firmware_data_key    $DEV_FIRMWARE_DATAKEY_ALGOID
+make_pair kernel_subkey            $KERNEL_SUBKEY_ALGOID
+make_pair kernel_data_key          $KERNEL_DATAKEY_ALGOID
+
+# Create the recovery and factory installer keypairs
+make_pair recovery_key             $RECOVERY_KEY_ALGOID
+make_pair recovery_kernel_data_key $RECOVERY_KERNEL_ALGOID
+make_pair installer_kernel_data_key $INSTALLER_KERNEL_ALGOID
+
+# Create the firmware keyblock for use only in Normal mode. This is redundant,
+# since it's never even checked during Recovery mode.
+make_keyblock firmware $FIRMWARE_KEYBLOCK_MODE firmware_data_key root_key
+
+# Create the dev firmware keyblock for use only in Developer mode.
+make_keyblock dev_firmware $DEV_FIRMWARE_KEYBLOCK_MODE dev_firmware_data_key root_key
+
+# Create the recovery kernel keyblock for use only in Recovery mode.
+make_keyblock recovery_kernel $RECOVERY_KERNEL_KEYBLOCK_MODE recovery_kernel_data_key recovery_key
+
+# Create the normal kernel keyblock for use only in Normal mode.
+make_keyblock kernel $KERNEL_KEYBLOCK_MODE kernel_data_key kernel_subkey
+
+# Create the installer keyblock for use in Developer + Recovery mode
+# For use in Factory Install and Developer Mode install shims.
+make_keyblock installer_kernel $INSTALLER_KERNEL_KEYBLOCK_MODE installer_kernel_data_key recovery_key
+
+# CAUTION: The public parts of most of these blobs must be compiled into the
+# firmware, which is built separately (and some of which can't be changed after
+# manufacturing). If you update these keys, you must coordinate the changes
+# with the BIOS people or you'll be unable to boot the resulting images.
+
diff --git a/scripts/keygeneration/make_keyblock.sh b/scripts/keygeneration/make_keyblock.sh
new file mode 100755
index 0000000000..565a566cff
--- /dev/null
+++ b/scripts/keygeneration/make_keyblock.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# Generates a keyblock containing a public key and signed using the given
+# signing key.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common.sh"
+
+if [ $# -ne 4 ]; then
+  cat <<EOF
+Usage: $0 <in_public_key> <in_signing_key> <flags> <out_keyblock>
+
+Emits <out_keyblock>.keyblock containing <in_public_key>.vbpubk signed with
+<in_signing_key>.vbprivk with the given keyblock <flags>.
+EOF
+  exit 1
+fi
+
+in_pubkey=$1
+in_signkey=$2
+keyblock_flags=$3
+out_keyblock=$4
+
+make_keyblock $out_keyblock $keyblock_flags $in_pubkey $in_signkey
diff --git a/scripts/keygeneration/make_pair.sh b/scripts/keygeneration/make_pair.sh
new file mode 100755
index 0000000000..cd5d0c1002
--- /dev/null
+++ b/scripts/keygeneration/make_pair.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# Generate .vbpubk and .vbprivk pairs with the given algorithm id.
+
+# Load common constants and functions.
+. "$(dirname "$0")/common.sh"
+
+if [ $# -ne 2 ]; then
+  cat <<EOF
+Usage: $0 <algoid> <out_keypair>
+
+Output: <out_keypair>.vbprivk and <out_keypair>.vbpubk
+EOF
+  exit 1
+fi
+
+algoid=$1
+out_keypair=$2
+
+make_pair $out_keypair $algoid