diff --git a/bin/cros_make_image_bootable b/bin/cros_make_image_bootable
index 70d42c4c8f..bde3c549d4 100755
--- a/bin/cros_make_image_bootable
+++ b/bin/cros_make_image_bootable
@@ -107,6 +107,9 @@ DEFINE_string verity_salt "" \
 DEFINE_string keys_dir "/usr/share/vboot/devkeys" \
   "Directory containing the signing keys."
 
+DEFINE_string au_key "" \
+  "Filename of the au_key to install"
+
 DEFINE_string rootfs_mountpoint "/tmp/rootfs" \
   "Path where the rootfs can be safely mounted"
 DEFINE_string statefulfs_mountpoint "/tmp/statefulfs" \
@@ -182,6 +185,16 @@ make_image_bootable() {
 
   legacy_offset_size_export ${image}
 
+
+  # Install an auto update key on the root before sealing it off
+  if [ ! -z "${FLAGS_au_key}" ]; then
+    local key_location=${FLAGS_rootfs_mountpoint}"/usr/share/update_engine/"
+    sudo cp "${FLAGS_au_key}" "$key_location/update-payload-key.pub.pem"
+    sudo chown root:root "$key_location/update-payload-key.pub.pem"
+    sudo chmod 644 "$key_location/update-payload-key.pub.pem"
+    echo "AU verification key was installed. Do not forget to resign the image!"
+  fi
+
   # The rootfs should never be mounted rw again after this point without
   # re-calling make_image_bootable.
   sudo mount -o remount,ro "${FLAGS_rootfs_mountpoint}"
diff --git a/build_image b/build_image
index 88b03d0b2b..9e340410fe 100755
--- a/build_image
+++ b/build_image
@@ -168,8 +168,12 @@ fi
 
 if should_build_image ${COREOS_PRODUCTION_IMAGE_NAME}; then
   copy_image ${CHROMEOS_BASE_IMAGE_NAME} ${COREOS_PRODUCTION_IMAGE_NAME}
-  ${SCRIPTS_DIR}/bin/cros_make_image_bootable "${BUILD_DIR}" \
-     ${COREOS_PRODUCTION_IMAGE_NAME}
+
+  ${SCRIPTS_DIR}/bin/cros_make_image_bootable \
+    "${BUILD_DIR}" \
+     ${COREOS_PRODUCTION_IMAGE_NAME} \
+    --au_key=${SRC_ROOT}/third_party/coreos-overlay/coreos-base/coreos-au-key/files/update-payload-key.pub.pem
+
   upload_image "${BUILD_DIR}/${COREOS_PRODUCTION_IMAGE_NAME}"
 fi