diff --git a/build_library/qemu_template.sh b/build_library/qemu_template.sh
new file mode 100755
index 0000000000..a1d25b01f4
--- /dev/null
+++ b/build_library/qemu_template.sh
@@ -0,0 +1,90 @@
+#!/bin/sh
+
+SCRIPT_DIR="`dirname "$0"`"
+VM_NAME=
+VM_UUID=
+VM_IMAGE=
+VM_MEMORY=
+IMAGE_PATH="${SCRIPT_DIR}/${VM_IMAGE}"
+SSH_PORT=2222
+SSH_KEYS=""
+USAGE="Usage: $0 [-a authorized_keys] [--] [qemu options...]
+Options:
+    -a FILE     SSH public keys for login access. [~/.ssh/id_{dsa,rsa}.pub]
+    -p PORT     The port on localhost to map to the VM's sshd. [2222]
+    -h          this ;-)
+
+This script is a wrapper around qemu for starting CoreOS virtual machines.
+The -a option may be used to specify a particular ssh public key to give
+login access to. If -a is not provided ~/.ssh/id_{dsa,rsa}.pub is used.
+If no public key is provided or found the VM will still boot but you may
+be unable to login unless you built the image yourself after setting a
+password for the core user with the 'set_shared_user_password.sh' script.
+
+Any arguments after -a and -p will be passed through to qemu, -- may be
+used as an explicit separator. See the qemu(1) man page for more details.
+"
+
+while getopts ":a:p:vh" OPTION
+do
+    case $OPTION in
+        a) SSH_KEYS="$OPTARG"; shift 2 ;;
+        p) SSH_PORT="$OPTARG"; shift 2 ;;
+        v) set -x; shift ;;
+        h) echo "$USAGE"; exit ;;
+        ?) break ;;
+    esac
+done
+
+
+METADATA=$(mktemp -t -d coreos-meta-data.XXXXXXXXXX)
+if [ $? -ne 0 ] || [ ! -d "$METADATA" ]; then
+    echo "$0: mktemp -d failed!" >&2
+    exit 1
+fi
+trap "rm -rf '$METADATA'" EXIT
+
+
+# Do our best to create an authorized_keys file
+if [ -n "$SSH_KEYS" ]; then
+    if [ ! -f "$SSH_KEYS" ]; then
+        echo "$0: SSH keys file not found: $SSH_KEYS" >&2
+        exit 1
+    elif ! cp "$SSH_KEYS" "${METADATA}/authorized_keys"; then
+        echo "$0: Failed to copy SSH keys from $SSH_KEYS" >&2
+        exit 1
+    fi
+else
+    # Nothing provided, try fetching from ssh-agent and the local fs
+    if [ -S "$SSH_AUTH_SOCK" ]; then
+        ssh-add -L >> "${METADATA}/authorized_keys"
+    fi
+    for default_key in ~/.ssh/id_*.pub; do
+        if [ ! -f "$default_key" ]; then
+            continue
+        fi
+        cat "$default_key" >> "${METADATA}/authorized_keys"
+    done
+fi
+
+
+# Default to KVM, fall back on full emulation
+# ${METADATA} will be mounted in CoreOS as /media/metadata
+qemu-system-x86_64 \
+    -name "$VM_NAME" \
+    -uuid "$VM_UUID" \
+    -m ${VM_MEMORY} \
+    -machine accel=kvm:tcg \
+    -drive index=0,if=virtio,media=disk,format=qcow2,file="${IMAGE_PATH}" \
+    -net nic,vlan=0,model=virtio \
+    -net user,vlan=0,hostfwd=tcp::"${SSH_PORT}"-:22 \
+    -fsdev local,id=metadata,security_model=none,readonly,path="${METADATA}" \
+    -device virtio-9p-pci,fsdev=metadata,mount_tag=metadata \
+    "$@"
+RET=$?
+
+
+# Cleanup!
+rm -rf "${METADATA}"
+trap - EXIT
+exit $?
diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
index fe0b60e52e..f39a6d38d3 100644
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@@ -293,23 +293,11 @@ _write_qemu_conf() {
     local dst_dir=$(dirname "$VM_DST_IMG")
     local script="${dst_dir}/$(_src_to_dst_name "${src_name}" ".sh")"
 
-    cat >"${script}" <<EOF
-#!/bin/sh
-
-SCRIPT_DIR="\`dirname "\$0"\`"
-DISK_IMAGE="\${SCRIPT_DIR}/${dst_name}"
-
-# Default to KVM, fall back on full emulation
-exec qemu-system-x86_64 \\
-    -name "${VM_NAME}" \\
-    -uuid "${VM_UUID}" \\
-    -m ${vm_mem} \\
-    -machine accel=kvm:tcg \\
-    -drive index=0,if=virtio,media=disk,format=qcow2,file="\${DISK_IMAGE}" \\
-    -net nic,vlan=0,model=virtio \\
-    -net user,vlan=0,hostfwd=tcp::2222-:22 \\
-    "\$@"
-EOF
+    sed -e "s%^VM_NAME=.*%VM_NAME='${VM_NAME}'%" \
+        -e "s%^VM_UUID=.*%VM_UUID='${VM_UUID}'%" \
+        -e "s%^VM_IMAGE=.*%VM_IMAGE='${dst_name}'%" \
+        -e "s%^VM_MEMORY=.*%VM_MEMORY='${vm_mem}'%" \
+        "${BUILD_LIBRARY_DIR}/qemu_template.sh" > "${script}"
     chmod +x "${script}"
 
     cat >"${VM_README}" <<EOF
@@ -317,11 +305,12 @@ If you have qemu installed (or in the SDK), you can start the image with:
   cd path/to/image
   ./$(basename "${script}") -curses
 
-If you wish to log in via a ssh key:
-  mkdir /tmp/meta-data
-  cp ~/.ssh/id_dsa.pub /tmp/meta-data/authorized_keys
-  ./$(basename "${script}") -curses -virtfs \\
-    local,path=/tmp/meta-data,mount_tag=meta-data,security_model=none,readonly
+If you need to use a different ssh key or different ssh port:
+  ./$(basename "${script}") -a ~/.ssh/authorized_keys -p 2223 -- -curses
+
+If you rather you can use the -nographic option instad of -curses. In this
+mode you can switch from the vm to the qemu monitor console with: Ctrl-a c
+See the qemu man page for more details on the monitor console.
 
 SSH into that host with:
   ssh 127.0.0.1 -p 2222