diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
index af1590862c..aaab3a3571 100644
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -1,6 +1,7 @@
 # Copyright (c) 2015 Ansible, Inc.
 # All Rights Reserved.
 
+import base64
 import os
 import re  # noqa
 import sys
@@ -148,7 +149,10 @@ SCHEDULE_MAX_JOBS = 10
 SITE_ID = 1
 
 # Make this unique, and don't share it with anybody.
-SECRET_KEY = 'p7z7g1ql4%6+(6nlebb6hdk7sd^&fnjpal308%n%+p^_e6vo1y'
+if os.path.exists('/etc/tower/SECRET_KEY'):
+    SECRET_KEY = open('/etc/tower/SECRET_KEY', 'rb').read().strip()
+else:
+    SECRET_KEY = base64.encodebytes(os.urandom(32)).decode().rstrip()
 
 # Hosts/domain names that are valid for this site; required if DEBUG is False
 # See https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
diff --git a/tools/docker-compose/ansible/roles/sources/tasks/main.yml b/tools/docker-compose/ansible/roles/sources/tasks/main.yml
index db2edee006..33ace141f1 100644
--- a/tools/docker-compose/ansible/roles/sources/tasks/main.yml
+++ b/tools/docker-compose/ansible/roles/sources/tasks/main.yml
@@ -30,6 +30,12 @@
   when: not lookup('vars', item.item, default='')
   loop: "{{ secrets.results }}"
 
+- name: Write out SECRET_KEY
+  copy:
+    content: "{{ secret_key }}"
+    dest: "{{ sources_dest }}/SECRET_KEY"
+  no_log: true
+
 - name: Render configuration templates
   template:
     src: "{{ item }}.j2"
diff --git a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
index b639dcced8..72181cfb0b 100644
--- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
@@ -30,6 +30,7 @@ services:
       - "../../docker-compose/_sources/database.py:/etc/tower/conf.d/database.py"
       - "../../docker-compose/_sources/websocket_secret.py:/etc/tower/conf.d/websocket_secret.py"
       - "../../docker-compose/_sources/local_settings.py:/etc/tower/conf.d/local_settings.py"
+      - "../../docker-compose/_sources/SECRET_KEY:/etc/tower/SECRET_KEY"
       - "redis_socket:/var/run/redis/:rw"
     privileged: true
     tty: true
diff --git a/tools/docker-compose/docs/data_migration.md b/tools/docker-compose/docs/data_migration.md
index afd107be89..3e313a0ebf 100644
--- a/tools/docker-compose/docs/data_migration.md
+++ b/tools/docker-compose/docs/data_migration.md
@@ -5,13 +5,15 @@ migrate your data to the development environment via the migrate.yml playbook, o
 
 > Note: This will also convert your postgresql bind-mount into a docker volume.
 
+First, in the  `inventory` file, set your `pg_password`, `broadcast_websocket_secret`, `secret_key`, and any other settings you need for your deployment.  **Make sure you use the same secret key value you had with your previous Local Docker deployment.**  
+
 ### Migrate data with migrate.yml
 
 If you had a custom pgdocker or awxcompose location, you will need to set the `postgres_data_dir` and `old_docker_compose_dir` variables. 
 
 1. Run the [migrate playbook](./ansible/migrate.yml) to migrate your data to the new postgresql container and convert the data directory to a volume mount.
 ```bash
-$ ansible-playbook migrate.yml -e "migrate_local_docker=true" -e "postgres_data_dir=~/.awx/pgdocker" -e "old_docker_compose_dir=~/.awx/awxcompose"
+$ ansible-playbook  -i tools/docker-compose/inventory tools/docker-compose/migrate.yml -e "migrate_local_docker=true" -e "postgres_data_dir=~/.awx/pgdocker" -e "old_docker_compose_dir=~/.awx/awxcompose"
 ```
 
 2. Change directory to the top of your awx checkout and start your containers