diff --git a/compose/services.yml b/compose/services.yml
index 7546a8d..bdf3a34 100644
--- a/compose/services.yml
+++ b/compose/services.yml
@@ -73,15 +73,16 @@ services:
       BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
       BALENA_TOKEN_AUTH_ISSUER: api.${OPENBALENA_HOST_NAME}
       BALENA_TOKEN_AUTH_REALM: https://api.${OPENBALENA_HOST_NAME}/auth/v1/token
-      COMMON_REGION:
+      COMMON_REGION: ${OPENBALENA_S3_REGION}
       REGISTRY2_CACHE_ENABLED: "false"
       REGISTRY2_CACHE_ADDR: 127.0.0.1:6379
       REGISTRY2_CACHE_DB: 0
       REGISTRY2_CACHE_MAXMEMORY_MB: 1024 # megabytes
       REGISTRY2_CACHE_MAXMEMORY_POLICY: allkeys-lru
-      REGISTRY2_S3_BUCKET:
-      REGISTRY2_S3_KEY:
-      REGISTRY2_S3_SECRET:
+      REGISTRY2_S3_REGION_ENDPOINT: ${OPENBALENA_S3_ENDPOINT}
+      REGISTRY2_S3_BUCKET: ${OPENBALENA_REGISTRY2_S3_BUCKET}
+      REGISTRY2_S3_KEY: ${OPENBALENA_S3_ACCESS_KEY}
+      REGISTRY2_S3_SECRET: ${OPENBALENA_S3_SECRET_KEY}
       REGISTRY2_SECRETKEY: ${OPENBALENA_REGISTRY_SECRET_KEY}
       REGISTRY2_STORAGEPATH: /data
 
@@ -125,8 +126,9 @@ services:
     volumes:
       - s3:/export
     environment:
-      S3_MINIO_ACCESS_KEY: abcdef1234
-      S3_MINIO_SECRET_KEY: "1234567890"
+      S3_MINIO_ACCESS_KEY: ${OPENBALENA_S3_ACCESS_KEY}
+      S3_MINIO_SECRET_KEY: ${OPENBALENA_S3_SECRET_KEY}
+      BUCKETS: ${OPENBALENA_S3_BUCKETS}
 
   redis:
     extends:
diff --git a/compose/versions b/compose/versions
index dfe7f7e..fe971ac 100644
--- a/compose/versions
+++ b/compose/versions
@@ -1,6 +1,6 @@
 export OPENBALENA_API_VERSION_TAG=v0.19.5
 export OPENBALENA_DB_VERSION_TAG=v2.0.3
-export OPENBALENA_REGISTRY_VERSION_TAG=v2.11.1
-export OPENBALENA_S3_VERSION_TAG=v2.6.2
-export OPENBALENA_VPN_VERSION_TAG=v8.10.0
 export OPENBALENA_MDNS_PUBLISHER_VERSION_TAG=v1.6.2
+export OPENBALENA_REGISTRY_VERSION_TAG=v2.11.1
+export OPENBALENA_S3_VERSION_TAG=v2.8.5
+export OPENBALENA_VPN_VERSION_TAG=v8.10.0
diff --git a/scripts/logger.sh b/scripts/logger.sh
new file mode 100644
index 0000000..5ead895
--- /dev/null
+++ b/scripts/logger.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+BLACK=`tput setaf 0`
+RED=`tput setaf 1`
+GREEN=`tput setaf 2`
+YELLOW=`tput setaf 3`
+BLUE=`tput setaf 4`
+MAGENTA=`tput setaf 5`
+CYAN=`tput setaf 6`
+WHITE=`tput setaf 7`
+
+BOLD=`tput bold`
+RESET=`tput sgr0`
+
+log_raw () {
+    local COLOR="${WHITE}"
+    local LEVEL="${1}"
+    local MESSAGE="${2}"
+    case "${LEVEL}" in
+        info)
+            COLOR="${BLUE}"
+            ;;
+        warn)
+            COLOR="${YELLOW}"
+            ;;
+        fatal)
+            COLOR="${RED}"
+            ;;
+        *)
+            LEVEL="debug"
+            ;;
+    esac
+    LEVEL="${LEVEL}     "
+    echo "[$(date +%T)] ${COLOR}$(echo "${LEVEL:0:5}" | tr '[:lower:]' '[:upper:]')${RESET} ${MESSAGE}";
+}
+
+log () {
+    log_raw "debug" "${1}"
+}
+
+info () {
+    log_raw "info" "${1}";
+}
+
+warn () {
+    log_raw "warn" "${1}";
+}
+
+die () {
+    log_raw "fatal" "${1}";
+    exit 1;
+}
+
+die_unless_forced () {
+    if [ ! -z "$1" ]; then
+        log_raw "warn" "$2";
+        return;
+    fi
+    
+    log_raw "fatal" "$2";
+    die "Use -f to forcibly upgrade.";
+}
\ No newline at end of file
diff --git a/scripts/make-env b/scripts/make-env
index 2e27561..5f2b916 100755
--- a/scripts/make-env
+++ b/scripts/make-env
@@ -40,11 +40,15 @@ b64file() {
   b64encode "$(cat "$@")"
 }
 
+# buckets to create in the S3 service...
+REGISTRY2_S3_BUCKET="registry-data"
+
 cat <<STR
 export OPENBALENA_PRODUCTION_MODE=false
 export OPENBALENA_COOKIE_SESSION_SECRET=$(randstr 32)
 export OPENBALENA_HOST_NAME=$DOMAIN
 export OPENBALENA_JWT_SECRET=$(randstr 32)
+export OPENBALENA_REGISTRY2_S3_BUCKET=${REGISTRY2_S3_BUCKET}
 export OPENBALENA_RESINOS_REGISTRY_CODE=$(randstr 32)
 export OPENBALENA_ROOT_CA=$(b64file "${ROOT_CA}")
 export OPENBALENA_ROOT_CRT=$(b64file "${ROOT_CRT}")
@@ -61,6 +65,11 @@ export OPENBALENA_VPN_SERVER_DH=$(b64file "$VPN_DH")
 export OPENBALENA_VPN_SERVICE_API_KEY=$(randstr 32)
 export OPENBALENA_API_VPN_SERVICE_API_KEY=$(randstr 32)
 export OPENBALENA_REGISTRY_SECRET_KEY=$(randstr 32)
+export OPENBALENA_S3_ACCESS_KEY=$(randstr 32)
+export OPENBALENA_S3_BUCKETS="${REGISTRY2_S3_BUCKET}"
+export OPENBALENA_S3_ENDPOINT="https://s3.${DOMAIN}"
+export OPENBALENA_S3_REGION=us-east-1
+export OPENBALENA_S3_SECRET_KEY=$(randstr 32)
 export OPENBALENA_SSH_AUTHORIZED_KEYS=
 export OPENBALENA_SUPERUSER_EMAIL=$SUPERUSER_EMAIL
 export OPENBALENA_SUPERUSER_PASSWORD=$(printf "%q" "${SUPERUSER_PASSWORD}")
diff --git a/scripts/migrate-registry-storage b/scripts/migrate-registry-storage
new file mode 100755
index 0000000..89aff1e
--- /dev/null
+++ b/scripts/migrate-registry-storage
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+migrate_data_to_s3 () {
+  BUCKET="${1:-registry-data}"
+
+  if [ -z "${BUCKET}" ]; then return 1; fi
+
+  if [ -n "${DOCKER_HOST}" ]; then
+      log "Using docker host: ${DOCKER_HOST}"
+      export DOCKER_HOST="${DOCKER_HOST}"
+  fi
+
+  REGISTRY_CONTAINER="$(docker ps | grep registry_ | awk '{print $1}')"
+  S3_CONTAINER="$(docker ps | grep s3_ | awk '{print $1}')"
+
+  if [ -z "${REGISTRY_CONTAINER}" ] || [ -z "${S3_CONTAINER}" ]; then return 2; fi
+
+  REGISTRY_VOLUME="$(docker inspect "${REGISTRY_CONTAINER}" | jq -r '.[].Mounts | map(select(.Destination=="/data")) | .[0].Source')"
+  S3_VOLUME=$(docker inspect "${S3_CONTAINER}" | jq -r '.[].Mounts | map(select(.Destination=="/export")) | .[0].Source')
+
+  if [ -z "${REGISTRY_VOLUME}" ] || [ -z "${S3_VOLUME}" ]; then return 3; fi
+
+  # run the S3 container image, and copy the data partition into S3...
+  docker run -it --rm \
+      -v "${REGISTRY_VOLUME}:/data" \
+      -v "${S3_VOLUME}:/s3" \
+      --name "migrate-registry" alpine \
+      sh -c "mkdir -p /s3/${BUCKET}/data && cp -r /data/docker /s3/${BUCKET}/data/"
+}
diff --git a/scripts/upgrade-1.x-to-2.0 b/scripts/upgrade-1.x-to-2.0
new file mode 100755
index 0000000..df8ced3
--- /dev/null
+++ b/scripts/upgrade-1.x-to-2.0
@@ -0,0 +1,78 @@
+#!/bin/sh
+
+source "${BASH_SOURCE%/*}/logger.sh"
+source "${BASH_SOURCE%/*}/migrate-registry-storage"
+
+# This script takes a v1.x.x install and updates the compose stack to use S3 as your
+# registry storage.
+
+source "${BASH_SOURCE%/*}/_realpath"
+
+DIR="$(dirname $(realpath "$0"))"
+BASE_DIR="$(dirname "${DIR}")"
+CONFIG_DIR="${BASE_DIR}/config"
+CONFIG_FILE="${CONFIG_DIR}/activate"
+
+# Step 1. Make sure a config exists...
+[ -f "${CONFIG_FILE}" ] || die "Unable to find existing config!";
+
+info "Preparing to upgrade..."
+source "${CONFIG_FILE}"
+
+while getopts "f" opt; do
+  case "${opt}" in
+    f) 
+        warn "Forcing upgrade! I hope you know what you're doing..."
+        FORCE_UPGRADE=1
+        ;;
+    *)
+      echo "Invalid argument: ${OPTARG}"
+      exit 1
+      ;;
+  esac
+done
+shift $((OPTIND-1))
+
+# Step 2. Check if the S3 configuration already exists...
+upgrade_required () {
+    [ -z "${OPENBALENA_REGISTRY2_S3_BUCKET}" ] || return 1;
+    [ -z "${OPENBALENA_S3_ACCESS_KEY}" ] || return 1;
+    [ -z "${OPENBALENA_S3_ENDPOINT}" ] || return 1;
+    [ -z "${OPENBALENA_S3_REGION}" ] || return 1;
+    [ -z "${OPENBALENA_S3_SECRET_KEY}" ] || return 1;
+}
+upgrade_required || die_unless_forced "${FORCE_UPGRADE}" "Configuration may already be using S3 for Registry storage!"
+
+# Step 3. Create missing S3 configuration...
+randstr() {
+  LC_CTYPE=C tr -dc A-Za-z0-9 < /dev/urandom | fold -w "${1:-32}" | head -n 1
+}
+
+upsert_config () {
+    var="${1}"
+    value="${2}"
+
+    if [ -z "${!var}" ]; then
+        echo "export ${1}=${2}" >> "${CONFIG_FILE}"
+    else
+        sed -i '' "s~export ${1}=.*~export ${1}=${2}~" "${CONFIG_FILE}"
+    fi
+}
+
+upsert_config "OPENBALENA_REGISTRY2_S3_BUCKET" "registry-data" || warn "Failed to update config value OPENBALENA_REGISTRY2_S3_BUCKET"
+upsert_config "OPENBALENA_S3_ACCESS_KEY" "$(randstr 32)" || warn "Failed to update config value OPENBALENA_S3_ACCESS_KEY"
+upsert_config "OPENBALENA_S3_ENDPOINT" "https://s3.${OPENBALENA_HOST_NAME}" || warn "Failed to update config value OPENBALENA_S3_ENDPOINT"
+upsert_config "OPENBALENA_S3_REGION" "us-east-1" || warn "Failed to update config value OPENBALENA_S3_REGION"
+upsert_config "OPENBALENA_S3_SECRET_KEY" "$(randstr 32)" || warn "Failed to update config value OPENBALENA_S3_SECRET_KEY"
+
+# Step 4. Migrate Registry data to S3...
+info "Copying data from the Registry volume to the S3 volume..."
+migrate_data_to_s3 "registry-data"
+case $? in
+    1)  die "Invalid bucket name";;
+    2)  die "Unable to find the running Registry or S3 containers";;
+    3)  die "Unable to determine the data volumes for the Registry or S3 containers";;
+    *)  info "Registry data copied"
+        ;;
+esac
+info "Upgrade complete"
\ No newline at end of file