diff --git a/elements/runtime-ssh-host-keys/README.rst b/elements/runtime-ssh-host-keys/README.rst
new file mode 100644
index 000000000..b00a2402e
--- /dev/null
+++ b/elements/runtime-ssh-host-keys/README.rst
@@ -0,0 +1,10 @@
+=====================
+runtime-ssh-host-keys
+=====================
+An element to generate SSH host keys on first boot.
+
+Since ssh key generation is not yet common to all operating systems, we need to
+create a DIB element to manage this. We force the removal of the SSH host keys,
+then add init scripts to generate them on first boot.
+
+This element currently supports Debian and Ubuntu (both systemd and upstart).
diff --git a/elements/simple-init/cleanup.d/90-remove-ssh-host-keys b/elements/runtime-ssh-host-keys/cleanup.d/90-remove-ssh-host-keys
similarity index 78%
rename from elements/simple-init/cleanup.d/90-remove-ssh-host-keys
rename to elements/runtime-ssh-host-keys/cleanup.d/90-remove-ssh-host-keys
index c90626a8a..b14e03f1c 100755
--- a/elements/simple-init/cleanup.d/90-remove-ssh-host-keys
+++ b/elements/runtime-ssh-host-keys/cleanup.d/90-remove-ssh-host-keys
@@ -10,9 +10,6 @@ set -o pipefail
 # in so that they are regenerated on first boot and
 # are unique.
 
-# TODO(greghaynes) This should be a thing we do for all images, not just
-# simple-init.
-
 if [ -d $TARGET_ROOT/etc/ssh ] ; then
     sudo find $TARGET_ROOT/etc/ssh -name 'ssh_host*' -type f -delete
 fi
diff --git a/elements/runtime-ssh-host-keys/element-deps b/elements/runtime-ssh-host-keys/element-deps
new file mode 100644
index 000000000..3a0277624
--- /dev/null
+++ b/elements/runtime-ssh-host-keys/element-deps
@@ -0,0 +1 @@
+dib-init-system
diff --git a/elements/runtime-ssh-host-keys/init-scripts/systemd/ssh-keygen.service b/elements/runtime-ssh-host-keys/init-scripts/systemd/ssh-keygen.service
new file mode 100644
index 000000000..90a831362
--- /dev/null
+++ b/elements/runtime-ssh-host-keys/init-scripts/systemd/ssh-keygen.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=OpenSSH Server Key Generation
+Before=ssh.service
+
+ConditionPathExists=|!/etc/ssh/ssh_host_key
+ConditionPathExists=|!/etc/ssh/ssh_host_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
+
+[Service]
+ExecStart=/usr/bin/ssh-keygen -A
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/elements/runtime-ssh-host-keys/init-scripts/upstart/ssh-keygen.conf b/elements/runtime-ssh-host-keys/init-scripts/upstart/ssh-keygen.conf
new file mode 100644
index 000000000..3fa2c0126
--- /dev/null
+++ b/elements/runtime-ssh-host-keys/init-scripts/upstart/ssh-keygen.conf
@@ -0,0 +1,8 @@
+description "OpenSSH Server Key Generation"
+
+start on starting ssh
+console output
+
+task
+
+exec /usr/bin/ssh-keygen -A
diff --git a/elements/runtime-ssh-host-keys/package-installs.yaml b/elements/runtime-ssh-host-keys/package-installs.yaml
new file mode 100644
index 000000000..c5017af3f
--- /dev/null
+++ b/elements/runtime-ssh-host-keys/package-installs.yaml
@@ -0,0 +1 @@
+openssh-client:
diff --git a/elements/runtime-ssh-host-keys/pkg-map b/elements/runtime-ssh-host-keys/pkg-map
new file mode 100644
index 000000000..413d584e7
--- /dev/null
+++ b/elements/runtime-ssh-host-keys/pkg-map
@@ -0,0 +1,7 @@
+{
+  "family": {
+    "redhat": {
+      "openssh-client": "openssh"
+    }
+  }
+}
diff --git a/elements/runtime-ssh-host-keys/post-install.d/80-ssh-keygen b/elements/runtime-ssh-host-keys/post-install.d/80-ssh-keygen
new file mode 100755
index 000000000..926a12d69
--- /dev/null
+++ b/elements/runtime-ssh-host-keys/post-install.d/80-ssh-keygen
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+case "$DIB_INIT_SYSTEM" in
+    upstart)
+        # nothing to do
+        exit 0
+        ;;
+    systemd)
+        if [[ $DISTRO_NAME = "ubuntu" || $DISTRO_NAME = "debian" ]]; then
+            # NOTE(pabelanger): Only support ubuntu / debian today.
+            systemctl enable ssh-keygen.service
+        else
+            # Since we are not enabling it, delete it.
+            rm /usr/lib/systemd/system/ssh-keygen.service
+        fi
+        ;;
+    openrc)
+        # let dib-init-system's postinstall handle enabling init scripts
+        exit 0
+        ;;
+    *)
+        echo "Unsupported init system"
+        exit 1
+        ;;
+esac
diff --git a/elements/simple-init/element-deps b/elements/simple-init/element-deps
index d92bc778c..5c7f9bb38 100644
--- a/elements/simple-init/element-deps
+++ b/elements/simple-init/element-deps
@@ -1,5 +1,5 @@
 cloud-init-datasources
-dib-init-system
 install-types
 pip-and-virtualenv
+runtime-ssh-host-keys
 source-repositories
diff --git a/releasenotes/notes/runtime-ssh-host-keys-7a2fc873cc90d33e.yaml b/releasenotes/notes/runtime-ssh-host-keys-7a2fc873cc90d33e.yaml
new file mode 100644
index 000000000..3475ae7d0
--- /dev/null
+++ b/releasenotes/notes/runtime-ssh-host-keys-7a2fc873cc90d33e.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - New element (runtime-ssh-host-keys) to manage SSH host keys at boot. Since
+    SSH host key generation is not standard across operating systems, add
+    support for both Debian and Ubuntu to handle it. While this is a new
+    element, simple-init has been updated to depend on it.