diff --git a/ipfs-cluster-service/main.go b/ipfs-cluster-service/main.go
index 32bf13ca..7c0f52c6 100644
--- a/ipfs-cluster-service/main.go
+++ b/ipfs-cluster-service/main.go
@@ -210,15 +210,10 @@ configuration.
 					Name:  "custom-secret, s",
 					Usage: "prompt for the cluster secret",
 				},
-				cli.StringFlag{
-					Name:   "env-cluster-secret",
-					EnvVar: "CLUSTER_SECRET",
-					Hidden: true,
-				},
 			},
 			Action: func(c *cli.Context) error {
-				initConfig(c.GlobalBool("force"), !c.Bool("custom-secret"),
-					c.String("env-cluster-secret"))
+				userSecret, userSecretDefined := userProvidedSecret(c.Bool("custom-secret"))
+				initConfig(c.GlobalBool("force"), userSecret, userSecretDefined)
 				return nil
 			},
 		},
@@ -251,7 +246,7 @@ configuration.
 
 func run(c *cli.Context) error {
 	if c.Bool("init") {
-		initConfig(c.Bool("force"), false, "")
+		initConfig(c.Bool("force"), nil, false)
 		return nil
 	}
 
@@ -370,7 +365,7 @@ func setupDebug() {
 	//SetFacilityLogLevel("libp2p-raft", l)
 }
 
-func initConfig(force bool, generateSecret bool, envSecret string) {
+func initConfig(force bool, userSecret []byte, userSecretDefined bool) {
 	if _, err := os.Stat(configPath); err == nil && !force {
 		err := fmt.Errorf("%s exists. Try running with -f", configPath)
 		checkErr("", err)
@@ -379,16 +374,9 @@ func initConfig(force bool, generateSecret bool, envSecret string) {
 	cfg, err := ipfscluster.NewDefaultConfig()
 	checkErr("creating default configuration", err)
 
-	if len(envSecret) != 0 {
-		// read cluster secret from env variable
-		fmt.Println("Reading cluster secret from CLUSTER_SECRET environment variable.")
-		cfg.ClusterSecret, err = ipfscluster.DecodeClusterSecret(envSecret)
-	} else if !generateSecret {
-		// get cluster secret from user
-		cfg.ClusterSecret, err = ipfscluster.DecodeClusterSecret(promptUser("Enter cluster secret (32-byte hex string): "))
-
+	if userSecretDefined {
+		cfg.ClusterSecret = userSecret
 	}
-	checkErr("parsing cluster secret", err)
 
 	err = os.MkdirAll(filepath.Dir(configPath), 0700)
 	err = cfg.Save(configPath)
@@ -397,6 +385,21 @@ func initConfig(force bool, generateSecret bool, envSecret string) {
 		programName, configPath)
 }
 
+func userProvidedSecret(enterSecret bool) ([]byte, bool) {
+	var secret string
+	if enterSecret {
+		secret = promptUser("Enter cluster secret (32-byte hex string): ")
+	} else if envSecret, envSecretDefined := os.LookupEnv("CLUSTER_SECRET"); envSecretDefined {
+		secret = envSecret
+	} else {
+		return nil, false
+	}
+
+	decodedSecret, err := ipfscluster.DecodeClusterSecret(secret)
+	checkErr("parsing user-provided secret", err)
+	return decodedSecret, true
+}
+
 func loadConfig() (*ipfscluster.Config, error) {
 	return ipfscluster.LoadConfig(configPath)
 }