diff --git a/gestion/tools/apt-keys-crans.py b/gestion/tools/apt-keys-crans.py
new file mode 100755
index 00000000..fd94666c
--- /dev/null
+++ b/gestion/tools/apt-keys-crans.py
@@ -0,0 +1,51 @@
+#!/bin/bash /usr/scripts/python.sh
+# -*- coding: utf-8 -*-
+
+import os
+from subprocess import Popen, PIPE, STDOUT
+import lc_ldap.shortcuts
+from socket import gethostname
+
+
+keyserver='komaz.adm.crans.org'
+basedir='/bcfg2/Cfg/etc/crans/apt-keys/'
+
+
+conn=lc_ldap.shortcuts.lc_ldap_readonly()
+nounou=conn.search(u"(&(gpgFingerprint=*)(droits=nounou))")
+fpr=[u['gpgFingerprint'][0].value for u in nounou]
+
+def refresh_keys():
+    p = Popen(['gpg', '--keyserver', 'komaz.adm.crans.org', '--recv-keys'] + fpr, stdout=PIPE, stdin=PIPE, stderr=STDOUT)
+    ret=p.communicate()
+    if ret[1]:
+        print ret[1]
+    if ret[0]:
+        print ret[0]
+
+
+def write_keys():
+    for user in nounou:
+        try:
+            os.mkdir(basedir + '%s.asc/' % user['uid'][0])
+        except OSError:
+            pass
+        path=basedir + '%s.asc/%s.asc' % (user['uid'][0],user['uid'][0])
+        # Est-ce que ça serait bien de mettre --export-options export-minimal ?
+        p = Popen(['gpg', '--armor', '--export', user['gpgFingerprint'][0].value], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
+        ret=p.communicate()
+        if ret[1]:
+            print ret[1]
+        if ret[0]:
+            with open(path, 'w') as f:
+                f.write(ret[0])
+                f.close()
+            print "Witten down %s" % path
+
+if __name__ == '__main__':
+    if gethostname() != 'bcfg2':
+        print "Doit être lancé sur bcfg2"
+        exit(1)
+    else:
+        refresh_keys()
+        write_keys()