diff --git a/java/google/registry/tools/GetKeyringSecretCommand.java b/java/google/registry/tools/GetKeyringSecretCommand.java
index a50f8e959..0f0236f85 100644
--- a/java/google/registry/tools/GetKeyringSecretCommand.java
+++ b/java/google/registry/tools/GetKeyringSecretCommand.java
@@ -66,6 +66,9 @@ final class GetKeyringSecretCommand implements RemoteApiCommand {
       case BRDA_SIGNING_KEY_PAIR:
         out.write(KeySerializer.serializeKeyPair(keyring.getBrdaSigningKey()));
         break;
+      case BRDA_SIGNING_PUBLIC_KEY:
+        out.write(KeySerializer.serializePublicKey(keyring.getBrdaSigningKey().getPublicKey()));
+        break;
       case ICANN_REPORTING_PASSWORD:
         out.write(KeySerializer.serializeString(keyring.getIcannReportingPassword()));
         break;
@@ -87,6 +90,9 @@ final class GetKeyringSecretCommand implements RemoteApiCommand {
       case RDE_SIGNING_KEY_PAIR:
         out.write(KeySerializer.serializeKeyPair(keyring.getRdeSigningKey()));
         break;
+      case RDE_SIGNING_PUBLIC_KEY:
+        out.write(KeySerializer.serializePublicKey(keyring.getRdeSigningKey().getPublicKey()));
+        break;
       case RDE_SSH_CLIENT_PRIVATE_KEY:
         out.write(KeySerializer.serializeString(keyring.getRdeSshClientPrivateKey()));
         break;
diff --git a/java/google/registry/tools/UpdateKmsKeyringCommand.java b/java/google/registry/tools/UpdateKmsKeyringCommand.java
index 18c594c47..11c8780ad 100644
--- a/java/google/registry/tools/UpdateKmsKeyringCommand.java
+++ b/java/google/registry/tools/UpdateKmsKeyringCommand.java
@@ -65,6 +65,10 @@ final class UpdateKmsKeyringCommand implements RemoteApiCommand {
       case BRDA_SIGNING_KEY_PAIR:
         kmsUpdater.setBrdaSigningKey(deserializeKeyPair(input));
         break;
+      case BRDA_SIGNING_PUBLIC_KEY:
+        throw new IllegalArgumentException(
+            "Can't update BRDA_SIGNING_PUBLIC_KEY directly."
+            + " Must update public and private keys together using BRDA_SIGNING_KEY_PAIR.");
       case ICANN_REPORTING_PASSWORD:
         kmsUpdater.setIcannReportingPassword(deserializeString(input));
         break;
@@ -86,6 +90,15 @@ final class UpdateKmsKeyringCommand implements RemoteApiCommand {
       case RDE_SIGNING_KEY_PAIR:
         kmsUpdater.setRdeSigningKey(deserializeKeyPair(input));
         break;
+      case RDE_SIGNING_PUBLIC_KEY:
+        throw new IllegalArgumentException(
+            "Can't update RDE_SIGNING_PUBLIC_KEY directly."
+            + " Must update public and private keys together using RDE_SIGNING_KEY_PAIR.");
+      // Note that RDE_SSH_CLIENT public / private keys are slightly different than other key pairs,
+      // since they are just regular strings rather than {@link PGPKeyPair}s (because OpenSSH
+      // doesn't use PGP-style keys)
+      //
+      // Hence we can and need to update the private and public keys individually.
       case RDE_SSH_CLIENT_PRIVATE_KEY:
         kmsUpdater.setRdeSshClientPrivateKey(deserializeString(input));
         break;
diff --git a/java/google/registry/tools/params/KeyringKeyName.java b/java/google/registry/tools/params/KeyringKeyName.java
index c0e841381..6f7804ac9 100644
--- a/java/google/registry/tools/params/KeyringKeyName.java
+++ b/java/google/registry/tools/params/KeyringKeyName.java
@@ -24,6 +24,7 @@ public enum KeyringKeyName {
   BRAINTREE_PRIVATE_KEY,
   BRDA_RECEIVER_PUBLIC_KEY,
   BRDA_SIGNING_KEY_PAIR,
+  BRDA_SIGNING_PUBLIC_KEY,
   ICANN_REPORTING_PASSWORD,
   JSON_CREDENTIAL,
   MARKSDB_DNL_LOGIN,
@@ -31,6 +32,7 @@ public enum KeyringKeyName {
   MARKSDB_SMDRL_LOGIN,
   RDE_RECEIVER_PUBLIC_KEY,
   RDE_SIGNING_KEY_PAIR,
+  RDE_SIGNING_PUBLIC_KEY,
   RDE_SSH_CLIENT_PRIVATE_KEY,
   RDE_SSH_CLIENT_PUBLIC_KEY,
   RDE_STAGING_KEY_PAIR,