diff --git a/bcm-fscrypt-key-migration/Makefile b/bcm-fscrypt-key-migration/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..8634921a36cd768bf680d9119d1dc4792b86fe04
--- /dev/null
+++ b/bcm-fscrypt-key-migration/Makefile
@@ -0,0 +1,31 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=bcm-fscrypt-key-migration
+PKG_RELEASE:=1
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+PKG_LICENSE:=GPL-2.0-only
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/bcm-fscrypt-key-migration
+  CATEGORY:=Base system
+  TITLE:=Broadcom Fscrypt Key Migration
+endef
+
+define Package/bcm-fscrypt-key-migration/description
+	Broadcom Fscrypt Key Migration
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+	$(CP) ./files/* $(PKG_BUILD_DIR)/
+endef
+
+define Build/Compile
+endef
+
+define Package/bcm-fscrypt-key-migration/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,bcm-fscrypt-key-migration))
diff --git a/bcm-fscrypt-key-migration/files/lib/preinit/79-bcm-fscrypt-key-migration b/bcm-fscrypt-key-migration/files/lib/preinit/79-bcm-fscrypt-key-migration
new file mode 100644
index 0000000000000000000000000000000000000000..634ce5aaa59756455678908db5452c92af60afd3
--- /dev/null
+++ b/bcm-fscrypt-key-migration/files/lib/preinit/79-bcm-fscrypt-key-migration
@@ -0,0 +1,8 @@
+# Copyright (C) 2006 OpenWrt.org
+# Copyright (C) 2010 Vertical Communications
+
+do_bcm_fscrypt_key_migration() {
+    bcm_fscrypt_key_migration
+}
+
+boot_hook_add preinit_main do_bcm_fscrypt_key_migration
diff --git a/bcm-fscrypt-key-migration/files/sbin/bcm_fscrypt_key_migration b/bcm-fscrypt-key-migration/files/sbin/bcm_fscrypt_key_migration
new file mode 100755
index 0000000000000000000000000000000000000000..a1efa116519164dcb72f0072880a63f31f63e7d9
--- /dev/null
+++ b/bcm-fscrypt-key-migration/files/sbin/bcm_fscrypt_key_migration
@@ -0,0 +1,63 @@
+#!/bin/sh
+. /lib/functions/preinit.sh
+. /lib/functions/iopsys-system-layout.sh
+
+is_migrated() {
+    local overlay_mount="${1:-/overlay}"
+    local data_dir="$overlay_mount/data"
+    local key_desc="$(get_board_specific_encryption_key_desc)"
+    local data_dir_key_desc="$(fscryptctl get_policy $data_dir | grep Descriptor | awk '{print $3}')"
+
+    if [ "$data_dir_key_desc" = "$key_desc" ]; then
+	return 0
+    else
+	return 1
+    fi
+}
+
+migrate_overlay() {
+    local overlay_mount="${1:-/overlay}"
+    local data_dir="$overlay_mount/data"
+    local tmp_data_dir="$overlay_mount/data.tmp"
+    local new_desc="$(get_board_specific_encryption_key_desc)"
+
+    echo "$0 migrating overlay" >> /dev/console
+
+    mkdir -p "$tmp_data_dir"
+    fscryptctl set_policy "$new_desc" "$tmp_data_dir"
+    #migrate files, if any
+    mv "$data_dir/*" "$tmp_data_dir/" 2>/dev/null
+    mv "$data_dir" "$data_dir.old"
+    mv "$tmp_data_dir" "$data_dir"
+    rm -rf "$data_dir.old"
+}
+
+encryption_init_kernel_keyring_old_key() {
+    if [ -f /proc/device-tree/key_dev_specific_512 ]; then
+	local key="$(cat /proc/device-tree/key_dev_specific_512)"
+	[ -z "$key" ] || echo -n "$key" | fscryptctl insert_key > /dev/null
+    else
+	echo "Old key key_dev_specific_512 not found!" >> /dev/stderr
+    fi
+}
+
+bcm_fscrypt_key_migration() {
+    local overlay_mount="/overlay"
+
+    use_overlay_encryption || return
+
+    get_system_layout_info_in_global_var
+
+    encryption_init_kernel_keyring
+    mount_overlay_partition current "$overlay_mount"
+
+    if is_migrated "$overlay_mount"; then
+	umount $overlay_mount
+	return
+    fi
+    encryption_init_kernel_keyring_old_key
+    migrate_overlay "$overlay_mount"
+    umount $overlay_mount
+}
+
+bcm_fscrypt_key_migration