diff --git a/models/admin/task.go b/models/admin/task.go
index 5d2b9bbff6f..7056a8359ec 100644
--- a/models/admin/task.go
+++ b/models/admin/task.go
@@ -137,6 +137,11 @@ func (task *Task) MigrateConfig() (*migration.MigrateOptions, error) {
 				log.Error("Unable to decrypt AuthToken, maybe SECRET_KEY is wrong: %v", err)
 			}
 		}
+		if opts.AWSSecretAccessKeyEncrypted != "" {
+			if opts.AWSSecretAccessKey, err = secret.DecryptSecret(setting.SecretKey, opts.AWSSecretAccessKeyEncrypted); err != nil {
+				log.Error("Unable to decrypt AWSSecretAccessKey, maybe SECRET_KEY is wrong: %v", err)
+			}
+		}
 
 		return &opts, nil
 	}
@@ -201,6 +206,8 @@ func FinishMigrateTask(ctx context.Context, task *Task) error {
 	conf.AuthPasswordEncrypted = ""
 	conf.AuthTokenEncrypted = ""
 	conf.CloneAddrEncrypted = ""
+	conf.AWSSecretAccessKey = ""
+	conf.AWSSecretAccessKeyEncrypted = ""
 	confBytes, err := json.Marshal(conf)
 	if err != nil {
 		return err
diff --git a/modules/migration/options.go b/modules/migration/options.go
index 163aa0cfaaa..0f73c55ac4e 100644
--- a/modules/migration/options.go
+++ b/modules/migration/options.go
@@ -40,5 +40,7 @@ type MigrateOptions struct {
 	MirrorInterval  string `json:"mirror_interval"`
 
 	AWSAccessKeyID     string
-	AWSSecretAccessKey string
+	AWSSecretAccessKey string `json:",omitempty"`
+
+	AWSSecretAccessKeyEncrypted string `json:"aws_secret_access_key_encrypted,omitempty"`
 }
diff --git a/services/task/task.go b/services/task/task.go
index 86cf6a041fd..25eccd1077b 100644
--- a/services/task/task.go
+++ b/services/task/task.go
@@ -85,6 +85,11 @@ func CreateMigrateTask(ctx context.Context, doer, u *user_model.User, opts base.
 		return nil, err
 	}
 	opts.AuthToken = ""
+	opts.AWSSecretAccessKeyEncrypted, err = secret.EncryptSecret(setting.SecretKey, opts.AWSSecretAccessKey)
+	if err != nil {
+		return nil, err
+	}
+	opts.AWSSecretAccessKey = ""
 	bs, err := json.Marshal(&opts)
 	if err != nil {
 		return nil, err