diff --git a/deploy_wesher_key b/deploy_wesher_key
new file mode 100755
index 0000000..8f7ed77
--- /dev/null
+++ b/deploy_wesher_key
@@ -0,0 +1,4 @@
+#!/usr/bin/env ./sshtool
+
+write_pass deuxfleurs/cluster/$CLUSTER/wesher_key /var/lib/wesher/secrets
+cmd systemctl restart wesher
diff --git a/gen_wesher_key b/gen_wesher_key
new file mode 100755
index 0000000..c66fade
--- /dev/null
+++ b/gen_wesher_key
@@ -0,0 +1,17 @@
+#!/usr/bin/env sh
+
+cd $(dirname $0)
+
+CLUSTER="$1"
+if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
+	echo "Usage: $0 <cluster name>"
+	echo "The cluster name must be the name of a subdirectory of cluster/"
+	exit 1
+fi
+
+K=deuxfleurs/cluster/$CLUSTER/wesher_key
+if ! pass $K >/dev/null; then
+	pass insert -m $K <<EOF
+WESHER_CLUSTER_KEY=$(head -c 32 /dev/urandom | base64)
+EOF
+fi
diff --git a/genpki.sh b/genpki.sh
index d41d3b8..6afb160 100755
--- a/genpki.sh
+++ b/genpki.sh
@@ -7,7 +7,7 @@ set -xe
 cd $(dirname $0)
 
 CLUSTER="$1"
-if [ ! -d "cluster/$CLUSTER" ]; then
+if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
 	echo "Usage: $0 <cluster name>"
 	echo "The cluster name must be the name of a subdirectory of cluster/"
 	exit 1
diff --git a/sshtool b/sshtool
index b5de384..1396c87 100755
--- a/sshtool
+++ b/sshtool
@@ -81,6 +81,19 @@ chmod 0600 $TO
 EOF
 }
 
+function write_pass {
+	local PASSKEY=$1
+	local TO=$2
+	cat <<EOF
+echo '- write secret $TO from pass $PASSKEY'
+base64 -d <<EOG | tee $TO > /dev/null
+$(pass $PASSKEY | base64)
+EOG
+chown root:root $TO
+chmod 0600 $TO
+EOF
+}
+
 for NIXHOST in $NIXHOSTLIST; do
 	NIXHOST=${NIXHOST%.*}