diff --git a/Dockerfile b/Dockerfile
index d965855..bc329b3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,7 +5,7 @@ LABEL description="SaltStack master"
 LABEL version="2018.3.2"
 
 ENV SALT_DOCKER_DIR="/etc/salt-docker" \
-    SALT_MASTER_DIR="/etc/salt/pki/master" \
+    SALT_ROOT_DIR="/etc/salt" \
     SALT_USER=root
 
 ENV SALT_BUILD_DIR="${SALT_DOCKER_DIR}/build" \
diff --git a/README.md b/README.md
index d527071..effc7d2 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,7 @@ For other methods to install SaltStack please refer to the [Official SaltStack I
 - [Configuration](#configuration)
   - [Custom Recipes](#custom-recipes)
   - [Minion Keys](#minion-keys)
+  - [Master Signed Keys](#master-signed-keys)
   - [Available Configuration Parameters](#available-configuration-parameters)
 - [Usage](#usage)
 - [Shell Access](#shell-access)
@@ -58,7 +59,7 @@ Alternatively, you can manually launch the `saltstack-master`  container:
 docker run --name salt_master --detach \
     --publish 4505:4505/tcp --publish 4506:4506/tcp \
     --env 'SALT_LOG_LEVEL=info' \
-    --read-only --volume ./srv/:/srv/ \
+    --read-only --volume $(pwd)/srv/:/srv/ \
     cdalvaro/saltstack-master:2018.3.2
 ```
 
@@ -76,16 +77,42 @@ Minion keys can be added automatically on startup to SaltStack master by mountin
 
 ```sh
 mkdir -p keys/minions
-cp -v /etc/salt/pki/minion/minion.pub keys/minions/minion1
+rsync root@minion1:/etc/salt/pki/minion/minion.pub keys/minions/minion1
 
 docker run --name salt_master -d \
     --publish 4505:4505/tcp --publish 4506:4506/tcp \
     --env 'SALT_LOG_LEVEL=info' \
-    --read-only --volume ./srv/:/srv/ \
-    --volume ./keys/:/etc/salt-docker/keys/ \
+    --volume $(pwd)/srv/:/srv/ \
+    --volume $(pwd)/keys/:/etc/salt-docker/keys/ \
     cdalvaro/saltstack-master:2018.3.2
 ```
 
+### Master Signed Keys
+
+It is possible to use signed master keys by establishing the environment variable `SALT_MASTER_SIGN_PUBKEY` to `True`.
+
+```sh
+docker run --name salt_stack --detach \
+    --publish 4505:4505/tcp --publish 4506:4506/tcp \
+    --env 'SALT_LOG_LEVEL=info' \
+    --env 'SALT_MASTER_SIGN_PUBKEY=True'
+    --volume $(pwd)/srv/:/srv/ \
+    --volume $(pwd)/keys/:/etc/salt-docker/keys/ \
+    cdalvaro/saltstack-master:2018.3.2
+```
+
+The container will create the `master_sign` key and its signature. More information about how to configure the minion service can be found [here](https://docs.saltstack.com/en/latest/topics/tutorials/multimaster_pki.html#prepping-the-minion-to-verify-received-public-keys).
+
+Additionally, you can generate new keys by executing the following command:
+
+```sh
+docker run --name salt_stack -it --rm \
+    --volume $(pwd)/keys/:/etc/salt-docker/keys/ \
+    cdalvaro/saltstack-master:2018.3.2 app:gen-signed-keys other_master_sign
+```
+
+The newly created keys will appear inside `keys/generated/other_master_sign` directory.
+
 ### Available Configuration Parameters
 
 Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose.
@@ -94,8 +121,12 @@ Below is the list of available options that can be used to customize your SaltSt
 
 | Parameter | Description |
 |-----------|-------------|
-| `SALT_LOG_LEVEL` | The level of messages to send to the console. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: 'warning' |
-| `SALT_LEVEL_LOGFILE` | The level of messages to send to the log file. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: 'warning' |
+| `SALT_LOG_LEVEL` | The level of messages to send to the console. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: `warning` |
+| `SALT_LEVEL_LOGFILE` | The level of messages to send to the log file. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: `warning` |
+| `SALT_MASTER_SIGN_PUBKEY` | Sign the master auth-replies with a cryptographic signature of the master's public key. Possible values: 'True' or 'False'. Default: `False` |
+| `SALT_MASTER_USE_PUBKEY_SIGNATURE` | Instead of computing the signature for each auth-reply, use a pre-calculated signature. This option requires `SALT_MASTER_SIGN_PUBKEY` set to 'True'. Possible values: 'True' or 'False'. Default: `True` |
+| `SALT_MASTER_SIGN_KEY_NAME` | The customizable name of the signing-key-pair without suffix. Default: `master_sign` |
+| `SALT_MASTER_PUBKEY_SIGNATURE` | The name of the file in the master's pki-directory that holds the pre-calculated signature of the master's public-key. Default: `master_pubkey_signature` |
 
 Any parameter not listed in the above table and available in the following [link](https://docs.saltstack.com/en/latest/ref/configuration/examples.html#configuration-examples-master), can be set by creating the directory `confs` and adding into it a `.conf` file with the desired parameters:
 
@@ -111,8 +142,8 @@ EOF
 docker run --name salt_master -d \
     --publish 3505:3505/tcp --publish 3506:3506/tcp \
     --env 'SALT_LOG_LEVEL=info' \
-    --read-only --volume ./srv/:/srv/ \
-    --volume ./confs/:/etc/salt-docker/confs/ \
+    --read-only --volume $(pwd)/srv/:/srv/ \
+    --volume $(pwd)/confs/:/etc/salt-docker/confs/ \
     cdalvaro/saltstack-master:2018.3.2
 ```
 
diff --git a/assets/runtime/env-defaults.sh b/assets/runtime/env-defaults.sh
index 73807fb..a30b2f9 100755
--- a/assets/runtime/env-defaults.sh
+++ b/assets/runtime/env-defaults.sh
@@ -1,5 +1,15 @@
 #!/usr/bin/env bash
 
+# https://docs.saltstack.com/en/latest/ref/configuration/master.html
+
 #####         Logging settings       #####
+# https://docs.saltstack.com/en/latest/ref/configuration/master.html#master-logging-settings
 SALT_LOG_LEVEL=${SALT_LOG_LEVEL:-warning}
 SALT_LEVEL_LOGFILE=${SALT_LEVEL_LOGFILE:-warning}
+
+#####        Security settings       #####
+# https://docs.saltstack.com/en/latest/ref/configuration/master.html#master-security-settings
+SALT_MASTER_SIGN_PUBKEY=${SALT_MASTER_SIGN_PUBKEY:-False}
+SALT_MASTER_USE_PUBKEY_SIGNATURE=${SALT_MASTER_USE_PUBKEY_SIGNATURE:-False}
+SALT_MASTER_SIGN_KEY_NAME=${SALT_MASTER_SIGN_KEY_NAME:-master_sign}
+SALT_MASTER_PUBKEY_SIGNATURE=${SALT_MASTER_PUBKEY_SIGNATURE:-master_pubkey_signature}
diff --git a/assets/runtime/functions.sh b/assets/runtime/functions.sh
index c4a2a1e..5367d39 100755
--- a/assets/runtime/functions.sh
+++ b/assets/runtime/functions.sh
@@ -1,55 +1,92 @@
 #!/usr/bin/env bash
 
 set -e
-
-echo "Loading ${SALT_RUNTIME_DIR}/env-defaults.sh"
 source ${SALT_RUNTIME_DIR}/env-defaults.sh
 
-# This function copies minion keys
-function copy_minion_keys()
+# This function generates a master_sign key pair and its signature
+function gen_signed_keys()
 {
-    echo "Copying minion keys..."
+  local key_name=${1:-master}
+  
+  mkdir -p ${SALT_KEYS_DIR}/generated/
+  GENERATED_KEYS_DIR=$(mktemp -d -p ${SALT_KEYS_DIR}/generated/ -t ${key_name}.XXXXX)
 
-    if [ -d "${SALT_KEYS_DIR}/master" ] && [ ! -z "$(ls -A ${SALT_KEYS_DIR}/master)" ]; then
-        mkdir -v -p -m 0700 ${SALT_MASTER_DIR}
-        cp -v ${SALT_KEYS_DIR}/master/master.{pem,pub} ${SALT_MASTER_DIR}
-        chown -v ${SALT_USER}:${SALT_USER} ${SALT_MASTER_DIR}/master.{pem,pub}
-    fi
+  salt-key --gen-keys ${key_name} --gen-keys-dir ${GENERATED_KEYS_DIR} > /dev/null 2>&1
+  salt-key --gen-signature --auto-create --pub ${GENERATED_KEYS_DIR}/${key_name}.pub --signature-path ${GENERATED_KEYS_DIR} > /dev/null 2>&1
 
-    if [ -d "${SALT_KEYS_DIR}/minions" ] && [ ! -z "$(ls -A ${SALT_KEYS_DIR}/minions)" ]; then
-        mkdir -v -p -m 0700 ${SALT_MASTER_DIR}/minions
-        cp -v ${SALT_KEYS_DIR}/minions/* ${SALT_MASTER_DIR}/minions
-        chown -v ${SALT_USER}:${SALT_USER} ${SALT_MASTER_DIR}/minions/*
+  echo -n ${GENERATED_KEYS_DIR}
+}
+
+# This function repairs keys permissions and creates keys if neaded
+function setup_keys()
+{
+  echo "Setting up keys..."
+
+  sed -i \
+      -e "s|^[#]*master_sign_pubkey:.*$|# master_sign_pubkey -> overrided|" \
+      -e "s|^[#]*master_sign_key_name:.*$|# master_sign_key_name -> overrided|" \
+      -e "s|^[#]*master_pubkey_signature:.*$|# master_pubkey_signature -> overrided|" \
+      -e "s|^[#]*master_use_pubkey_signature:.*$|# master_use_pubkey_signature -> overrided|" \
+      ${SALT_ROOT_DIR}/master
+
+  cat >> ${SALT_ROOT_DIR}/master <<EOF
+
+#####         Security settings        #####
+############################################
+master_sign_pubkey: ${SALT_MASTER_SIGN_PUBKEY}
+master_sign_key_name: ${SALT_MASTER_SIGN_KEY_NAME}
+master_pubkey_signature: ${SALT_MASTER_PUBKEY_SIGNATURE}
+master_use_pubkey_signature: ${SALT_MASTER_USE_PUBKEY_SIGNATURE}
+EOF
+
+  if [ ! -f "${SALT_KEYS_DIR}/${SALT_MASTER_SIGN_KEY_NAME}" ] && [ ${SALT_MASTER_SIGN_PUBKEY} == True ]; then
+    echo "Generating signed keys..."
+    if [ ! -f ${SALT_KEYS_DIR}/master.pem ]; then
+      salt-key --gen-keys master --gen-keys-dir ${SALT_KEYS_DIR}
     fi
+    salt-key --gen-signature --auto-create --pub ${SALT_KEYS_DIR}/master.pub --signature-path ${SALT_KEYS_DIR}
+  fi
+
+  for pub_key in $(find ${SALT_KEYS_DIR} -type f -maxdepth 2); do
+    if [[ ${pub_key} =~ .*\.pem$ ]]; then
+      chmod -v 400 ${pub_key}
+    else
+      chmod -v 644 ${pub_key}
+    fi
+  done
 }
 
 # This functions cofigures master service
 function configure_salt_master()
 {
-    echo "Configuring salt-master..."
-    # https://docs.saltstack.com/en/latest/ref/configuration/master.html
+  echo "Configuring salt-master..."
+  # https://docs.saltstack.com/en/latest/ref/configuration/master.html
 
-    local SALT_ROOT_DIR=/etc/salt
+  # Backup file
+  if [ ! -f ${SALT_ROOT_DIR}/master.backup ]; then
+    cp -pv ${SALT_ROOT_DIR}/master ${SALT_ROOT_DIR}/master.backup
+  else
+    cp -pv ${SALT_ROOT_DIR}/master.backup ${SALT_ROOT_DIR}/master
+  fi
 
-    # Backup file
-    if [ ! -f ${SALT_ROOT_DIR}/master.backup ]; then
-        cp -pv ${SALT_ROOT_DIR}/master ${SALT_ROOT_DIR}/master.backup
-    else
-        cp -pv ${SALT_ROOT_DIR}/master.backup ${SALT_ROOT_DIR}/master
-    fi
+  # Set env variables
+  sed -i \
+      -e "s|^[#]*log_level:.*$|log_level: ${SALT_LOG_LEVEL}|" \
+      -e "s|^[#]*log_level_logfile:.*$|log_level_logfile: ${SALT_LEVEL_LOGFILE}|" \
+      -e "s|^[#]*default_include:.*$|default_include: ${SALT_ROOT_DIR}/master.d/*.conf|" \
+      -e "s|^[#]*pki_dir:.*$|pki_dir: ${SALT_KEYS_DIR}/|" \
+      ${SALT_ROOT_DIR}/master
 
-    # Set env variables
-    sed -i \
-        -e "s|^[#]*log_level:.*$|log_level: ${SALT_LOG_LEVEL}|" \
-        -e "s|^[#]*log_level_logfile:.*$|log_level_logfile: ${SALT_LEVEL_LOGFILE}|" \
-        -e "s|^[#]*default_include:.*$|default_include: ${SALT_ROOT_DIR}/master.d/*.conf|" \
-        ${SALT_ROOT_DIR}/master
+  cat >> ${SALT_ROOT_DIR}/master <<EOF
 
-    # Sync config files
-    if [[ $(find ${SALT_CONFS_DIR} -type f -name '*.conf' | wc -l) -gt 0 ]]; then
-        rsync --verbose --delete ${SALT_CONFS_DIR}/*.conf ${SALT_ROOT_DIR}/master.d/
-        chown ${SALT_USER}:${SALT_USER} ${SALT_ROOT_DIR}/master.d/*.conf
-        chmod +rx-w ${SALT_ROOT_DIR}/master.d/*.conf
-    fi
+######       Custom Settings          ######
+############################################
+EOF
 
+  # Sync config files
+  if [[ $(find ${SALT_CONFS_DIR} -type f -name '*.conf' | wc -l) -gt 0 ]]; then
+    rsync --verbose --delete ${SALT_CONFS_DIR}/*.conf ${SALT_ROOT_DIR}/master.d/
+    chown ${SALT_USER}:${SALT_USER} ${SALT_ROOT_DIR}/master.d/*.conf
+    chmod +rx-w ${SALT_ROOT_DIR}/master.d/*.conf
+  fi
 }
diff --git a/entrypoint.sh b/entrypoint.sh
index a7a2159..41e82ab 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -6,23 +6,32 @@ source "${SALT_RUNTIME_DIR}/functions.sh"
 [[ ${DEBUG} == true ]] && set -x
 
 case ${1} in
-  app:start)
+  app:start|app:init|app:gen-signed-keys)
 
-configure_salt_master
+    configure_salt_master
 
     case ${1} in
       app:start)
-        copy_minion_keys
-echo "Starting salt-master..."
-exec salt-master
+        setup_keys
+        echo "Starting salt-master..."
+        exec salt-master
+        ;;
+      app:init)
+        setup_keys
+        ;;
+      app:gen-signed-keys)
+        shift 1
+        gen_signed_keys ${1}
         ;;
     esac
     ;;
   app:help)
     echo "Available options:"
-    echo "  app:start       - Start salt-master service. (default)"
-    echo "  app:help        - Displays this help."
-    echo "  [command]       - Execute the specified command, eg. bash."
+    echo "  app:start                         - Start salt-master service. (default)"
+    echo "  app:init                          - Setup salt-master without launching the service."
+    echo "  app:gen-signed-keys <key_name>    - Create a master_sign key pair and its signature inside ${SALT_KEYS_DIR}/generated/"
+    echo "  app:help                          - Displays this help."
+    echo "  [command]                         - Execute the specified command, eg. bash."
     ;;
   *)
     exec "$@"