diff --git a/type/__netbox/explorer/secretkey b/type/__netbox/explorer/secretkey
new file mode 100755
index 0000000..9f0331c
--- /dev/null
+++ b/type/__netbox/explorer/secretkey
@@ -0,0 +1,8 @@
+#!/bin/sh -e
+
+# Explorer will output the key if he exists.
+
+secretkey="/opt/netbox/.secretkey"
+if [ -f "$secretkey" ]; then
+    cat "$secretkey"
+fi
diff --git a/type/__netbox/explorer/version b/type/__netbox/explorer/version
index a9ed590..5231e16 100755
--- a/type/__netbox/explorer/version
+++ b/type/__netbox/explorer/version
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -e
 
 # output version if exist
 version_path="/opt/netbox/netbox/cdist/version"
diff --git a/type/__netbox/man.rst b/type/__netbox/man.rst
index c910d5c..77b47d0 100644
--- a/type/__netbox/man.rst
+++ b/type/__netbox/man.rst
@@ -32,16 +32,22 @@ database-user
 database-password
     PostgreSQL database password.
 
-secret-key
-    Random secret key of at least 50 alphanumeric characters. This key must be
-    unique to this installation and must not be shared outside the local
-    system.
-
 host
     Hostname (domain or IP address) on which the application is served.
 
 OPTIONAL PARAMETERS
 -------------------
+secret-key
+    Random secret key of at least 50 alphanumeric characters and symbols. This
+    key must be unique to this installation and must not be shared outside the
+    local system. If no secret key is given, the type generates an own 50 chars
+    long key and saves it on the remote host to remember it for the next run.
+
+    The secret, random string is used to assist in the creation new
+    cryptographic hashes for passwords and HTTP cookies. It is not directly
+    used for hasing user passwords or for encrpted storage. It can be changed
+    at any time, but will invalidate all existing sessions.
+
 database-host
     PostgreSQL database hostname. Defaults to ``localhost``.
 
diff --git a/type/__netbox/manifest b/type/__netbox/manifest
index 133b527..cd47d38 100755
--- a/type/__netbox/manifest
+++ b/type/__netbox/manifest
@@ -37,7 +37,18 @@ export DATABASE_PORT
 
 ALLOWED_HOST=$(cat "$__object/parameter/host")
 export ALLOWED_HOST
-SECRET_KEY=$(cat "$__object/parameter/secret-key")
+
+if [ -f "$__object/parameter/secret-key" ]; then
+    SECRET_KEY=$(cat "$__object/parameter/secret-key")
+elif [ -s "$__object/explorer/secretkey" ]; then
+    # Can be done over netbox/generate_secret_key.py too, but it's to
+    # complicated with the variable setup (can't generated right now!).
+    # Generates a 50-character long key (without ' cause of python quotes)
+    SECRET_KEY="$(tr -cd '[:graph:]' < /dev/random | tr -d \' | head -c50)"
+else
+    # take the key that is already used
+    SECRET_KEY="$(cat "$__object/explorer/secretkey")"
+fi
 export SECRET_KEY
 
 if [ -f "$__object/parameter/ldap-server" ]; then
@@ -177,6 +188,12 @@ if [ -f "$__object/parameter/ldap-server" ]; then
         --source "$__object/files/ldap_config.py"
 fi
 
+# save secret
+require="__user/netbox" __file /opt/netbox/.secretkey --mode 400 \
+    --owner netbox --source - << SECRET
+$SECRET_KEY
+SECRET
+
 
 # Upload systemd units and gunicorn configuration.
 for unit in netbox netbox-rq; do
diff --git a/type/__netbox/parameter/optional b/type/__netbox/parameter/optional
index 21fea5f..47722e6 100644
--- a/type/__netbox/parameter/optional
+++ b/type/__netbox/parameter/optional
@@ -1,3 +1,4 @@
+secret-key
 database-host
 database-port
 ldap-server
diff --git a/type/__netbox/parameter/required b/type/__netbox/parameter/required
index 84e8e4b..3d03e5a 100644
--- a/type/__netbox/parameter/required
+++ b/type/__netbox/parameter/required
@@ -2,5 +2,4 @@ version
 database
 database-user
 database-password
-secret-key
 host