diff --git a/services/identity/Cargo.toml b/services/identity/Cargo.toml
--- a/services/identity/Cargo.toml
+++ b/services/identity/Cargo.toml
@@ -3,7 +3,17 @@
 version = "0.1.0"
 edition = "2021"
 
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+[lib]
+name = "common"
+path = "src/lib.rs"
+
+[[bin]]
+name = "identity"
+path = "src/main.rs"
+
+[[bin]]
+name = "keygen"
+path = "scripts/keygen.rs"
 
 [dependencies]
 tonic = "0.6"
diff --git a/services/identity/Dockerfile b/services/identity/Dockerfile
--- a/services/identity/Dockerfile
+++ b/services/identity/Dockerfile
@@ -9,9 +9,10 @@
 RUN cargo init --bin
 
 COPY services/identity/Cargo.toml services/identity/Cargo.lock ./
+RUN touch src/lib.rs
 
 # Cache build dependencies in a new layer
-RUN cargo build --release
+RUN cargo build --release --bin identity
 RUN rm src/*.rs
 
 COPY services/identity .
diff --git a/services/identity/scripts/keygen.rs b/services/identity/scripts/keygen.rs
new file mode 100644
--- /dev/null
+++ b/services/identity/scripts/keygen.rs
@@ -0,0 +1,17 @@
+use common::opaque::Cipher;
+use opaque_ke::{ciphersuite::CipherSuite, rand::rngs::OsRng};
+use std::{env, fs};
+
+fn main() {
+  let mut rng = OsRng;
+  let server_kp = Cipher::generate_random_keypair(&mut rng);
+  let mut path = env::current_dir().unwrap();
+  path.push("secrets");
+  if !path.exists() {
+    println!("Creating secrets directory {:?}", path);
+    fs::create_dir(&path).unwrap();
+  }
+  path.push("secret_key");
+  println!("Writing secret key to {:?}", path);
+  fs::write(&path, server_kp.private().to_arr()).unwrap();
+}