diff --git a/extensions/storage/pkg/config/defaults/defaultconfig.go b/extensions/storage/pkg/config/defaults/defaultconfig.go
index d922393eac..10de4b2652 100644
--- a/extensions/storage/pkg/config/defaults/defaultconfig.go
+++ b/extensions/storage/pkg/config/defaults/defaultconfig.go
@@ -1,6 +1,7 @@
 package defaults
 
 import (
+	"log"
 	"os"
 	"path"
 
@@ -36,7 +37,6 @@ func DefaultConfig() *config.Config {
 		Reva: config.Reva{
 			JWTSecret:             "Pive-Fumkiu4",
 			SkipUserGroupsInToken: false,
-			TransferSecret:        "replace-me-with-a-transfer-secret",
 			TransferExpires:       24 * 60 * 60,
 			OIDC: config.OIDC{
 				Issuer:   defaultPublicURL,
@@ -460,7 +460,11 @@ func DefaultConfig() *config.Config {
 }
 
 func EnsureDefaults(cfg *config.Config) {
-	// TODO: IMPLEMENT ME!
+	if cfg.TransferSecret == "" && cfg.Commons != nil && cfg.Commons.TransferSecret != "" {
+		cfg.TransferSecret = cfg.Commons.TransferSecret
+	} else {
+		log.Fatal("reva transfer secret is not set up properly, bailing out (storage)")
+	}
 }
 
 func Sanitize(cfg *config.Config) {
diff --git a/extensions/thumbnails/pkg/config/config.go b/extensions/thumbnails/pkg/config/config.go
index 52f72bc4e1..9f18231956 100644
--- a/extensions/thumbnails/pkg/config/config.go
+++ b/extensions/thumbnails/pkg/config/config.go
@@ -42,6 +42,6 @@ type Thumbnail struct {
 	CS3AllowInsecure    bool              `yaml:"cs3_allow_insecure,omitempty" env:"OCIS_INSECURE;THUMBNAILS_CS3SOURCE_INSECURE"`
 	RevaGateway         string            `yaml:"reva_gateway,omitempty" env:"REVA_GATEWAY"` //TODO: use REVA config
 	FontMapFile         string            `yaml:"font_map_file,omitempty" env:"THUMBNAILS_TXT_FONTMAP_FILE"`
-	TransferTokenSecret string            `yaml:"transfer_token,omitempty" env:"THUMBNAILS_TRANSFER_TOKEN"`
+	TransferSecret      string            `yaml:"transfer_secret,omitempty" env:"THUMBNAILS_TRANSFER_TOKEN"`
 	DataEndpoint        string            `yaml:"data_endpoint,omitempty" env:"THUMBNAILS_DATA_ENDPOINT"`
 }
diff --git a/extensions/thumbnails/pkg/config/defaults/defaultconfig.go b/extensions/thumbnails/pkg/config/defaults/defaultconfig.go
index c74b85065b..75a71ae43c 100644
--- a/extensions/thumbnails/pkg/config/defaults/defaultconfig.go
+++ b/extensions/thumbnails/pkg/config/defaults/defaultconfig.go
@@ -1,6 +1,7 @@
 package defaults
 
 import (
+	"log"
 	"path"
 
 	"github.com/owncloud/ocis/extensions/thumbnails/pkg/config"
@@ -44,7 +45,6 @@ func DefaultConfig() *config.Config {
 			WebdavAllowInsecure: false,
 			RevaGateway:         "127.0.0.1:9142",
 			CS3AllowInsecure:    false,
-			TransferTokenSecret: "changemeplease",
 			DataEndpoint:        "http://127.0.0.1:9186/thumbnails/data",
 		},
 	}
@@ -73,6 +73,12 @@ func EnsureDefaults(cfg *config.Config) {
 	} else if cfg.Tracing == nil {
 		cfg.Tracing = &config.Tracing{}
 	}
+
+	if cfg.Thumbnail.TransferSecret == "" && cfg.Commons != nil && cfg.Commons.TransferSecret != "" {
+		cfg.Thumbnail.TransferSecret = cfg.Commons.TransferSecret
+	} else {
+		log.Fatalf("reva transfer secret is not set up properly, bailing out (%s)", cfg.Service.Name)
+	}
 }
 
 func Sanitize(cfg *config.Config) {
diff --git a/extensions/thumbnails/pkg/service/grpc/v0/service.go b/extensions/thumbnails/pkg/service/grpc/v0/service.go
index b5f34f32fd..89eb703d7d 100644
--- a/extensions/thumbnails/pkg/service/grpc/v0/service.go
+++ b/extensions/thumbnails/pkg/service/grpc/v0/service.go
@@ -49,7 +49,7 @@ func NewService(opts ...Option) decorators.DecoratedService {
 			TxtFontFileMap: options.Config.Thumbnail.FontMapFile,
 		},
 		dataEndpoint:        options.Config.Thumbnail.DataEndpoint,
-		transferTokenSecret: options.Config.Thumbnail.TransferTokenSecret,
+		transferTokenSecret: options.Config.Thumbnail.TransferSecret,
 	}
 
 	return svc
diff --git a/extensions/thumbnails/pkg/service/http/v0/service.go b/extensions/thumbnails/pkg/service/http/v0/service.go
index 864dca0ae8..944020cb5a 100644
--- a/extensions/thumbnails/pkg/service/http/v0/service.go
+++ b/extensions/thumbnails/pkg/service/http/v0/service.go
@@ -102,7 +102,7 @@ func (s Thumbnails) TransferTokenValidator(next http.Handler) http.Handler {
 			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 			}
-			return []byte(s.config.Thumbnail.TransferTokenSecret), nil
+			return []byte(s.config.Thumbnail.TransferSecret), nil
 		})
 		if err != nil {
 			s.logger.Error().
diff --git a/ocis-pkg/config/config.go b/ocis-pkg/config/config.go
index 57a2448e17..91951fa89d 100644
--- a/ocis-pkg/config/config.go
+++ b/ocis-pkg/config/config.go
@@ -57,8 +57,9 @@ type Config struct {
 
 	Registry          string               `yaml:"registry,omitempty"`
 	TokenManager      *shared.TokenManager `yaml:"token_manager,omitempty"`
-	MachineAuthAPIKey string
-	Runtime           Runtime `yaml:"runtime,omitempty"`
+	MachineAuthAPIKey string               `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY"`
+	TransferSecret    string               `yaml:"transfer_secret,omitempty"`
+	Runtime           Runtime              `yaml:"runtime,omitempty"`
 
 	Audit         *audit.Config         `yaml:"audit,omitempty"`
 	Accounts      *accounts.Config      `yaml:"accounts,omitempty"`
diff --git a/ocis-pkg/config/parser/parse.go b/ocis-pkg/config/parser/parse.go
index e77f7986b6..a28c457df1 100644
--- a/ocis-pkg/config/parser/parse.go
+++ b/ocis-pkg/config/parser/parse.go
@@ -57,6 +57,12 @@ func ParseConfig(cfg *config.Config) error {
 		log.Fatalf("machine auth api key is not set up properly, bailing out (ocis)")
 	}
 
+	if cfg.TransferSecret != "" {
+		cfg.Commons.TransferSecret = cfg.TransferSecret
+	} else {
+		log.Fatalf("reva transfer secret not properly set, bailing out (ocis)")
+	}
+
 	// load all env variables relevant to the config in the current context.
 	if err := envdecode.Decode(cfg); err != nil {
 		// no environment variable set for this config is an expected "error"
diff --git a/ocis-pkg/shared/shared_types.go b/ocis-pkg/shared/shared_types.go
index 437e6d0d34..fa3f98094b 100644
--- a/ocis-pkg/shared/shared_types.go
+++ b/ocis-pkg/shared/shared_types.go
@@ -37,4 +37,5 @@ type Commons struct {
 	OcisURL           string        `yaml:"ocis_url" env:"OCIS_URL"`
 	TokenManager      *TokenManager `yaml:"token_manager"`
 	MachineAuthAPIKey string        `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY"`
+	TransferSecret    string        `yaml:"transfer_secret,omitempty" env:"REVA_TRANSFER_SECRET"`
 }
diff --git a/ocis/pkg/command/init.go b/ocis/pkg/command/init.go
index efd1d67de6..d92c038bd3 100644
--- a/ocis/pkg/command/init.go
+++ b/ocis/pkg/command/init.go
@@ -19,7 +19,6 @@ import (
 	idm "github.com/owncloud/ocis/extensions/idm/pkg/config"
 	proxy "github.com/owncloud/ocis/extensions/proxy/pkg/config"
 	storage "github.com/owncloud/ocis/extensions/storage/pkg/config"
-	thumbnails "github.com/owncloud/ocis/extensions/thumbnails/pkg/config"
 )
 
 const configFilename string = "ocis.yaml"
@@ -110,8 +109,8 @@ func createConfig(insecure, forceOverwrite bool, configPath string) error {
 		//Proxy:         &proxy.Config{},
 		//OCS:        &ocs.Config{},
 		//Settings:   &settings.Config{},
-		Storage:    &storage.Config{},
-		Thumbnails: &thumbnails.Config{},
+		Storage: &storage.Config{},
+		//Thumbnails: &thumbnails.Config{},
 		//Web:           &web.Config{},
 		//WebDAV:        &webdav.Config{},
 	}
@@ -145,7 +144,7 @@ func createConfig(insecure, forceOverwrite bool, configPath string) error {
 	if err != nil {
 		return fmt.Errorf("Could not generate random password for machineauthsecret: %s", err)
 	}
-	thumbnailTransferTokenSecret, err := generators.GenerateRandomPassword(passwordLength)
+	revaTransferTokenSecret, err := generators.GenerateRandomPassword(passwordLength)
 	if err != nil {
 		return fmt.Errorf("Could not generate random password for machineauthsecret: %s", err)
 	}
@@ -154,10 +153,9 @@ func createConfig(insecure, forceOverwrite bool, configPath string) error {
 	// TODO: REVA config is missing (LDAP + GROUP provider)
 	// TODO: graph needs IDM password configured
 	// TODO: add missing insecure occurences
-	// TODO: search for missing transfer secrets
-	// TODO: move transfersecret for all extensions to shared
 
 	cfg.MachineAuthAPIKey = machineAuthApiKey
+	cfg.TransferSecret = revaTransferTokenSecret
 	cfg.TokenManager.JWTSecret = tokenManagerJwtSecret
 	//cfg.Commons.TokenManager.JWTSecret = tokenManagerJwtSecret
 	//cfg.Accounts.TokenManager.JWTSecret = tokenManagerJwtSecret
@@ -176,7 +174,7 @@ func createConfig(insecure, forceOverwrite bool, configPath string) error {
 	//cfg.Settings.TokenManager.JWTSecret = tokenManagerJwtSecret
 	cfg.Storage.Reva.JWTSecret = tokenManagerJwtSecret
 	cfg.Storage.OCDav.JWTSecret = tokenManagerJwtSecret
-	cfg.Thumbnails.Thumbnail.TransferTokenSecret = thumbnailTransferTokenSecret
+	//cfg.Thumbnails.Thumbnail.TransferSecret = revaTransferTokenSecret
 	yamlOutput, err := yaml.Marshal(cfg)
 	if err != nil {
 		return fmt.Errorf("Could not marshall config into yaml: %s", err)