diff --git a/docs/nix_keyserver_deployment.md b/docs/nix_keyserver_deployment.md
--- a/docs/nix_keyserver_deployment.md
+++ b/docs/nix_keyserver_deployment.md
@@ -37,6 +37,10 @@
 - `COMM_DATABASE_USER`: The username the keyserver uses to connect to MariaDB. Replace `<MariaDB user>` with your desired username.
 - `COMM_DATABASE_PASSWORD`: Corresponding password for the above user. Replace `<MariaDB password>` with your desired password.
 
+### Primary / secondary configuration
+
+- `COMM_NODE_ROLE`: Specifies whether a node is primary or secondary. Currently only used for multi-node keyservers, and as such is irrelevant to the Docker Compose workflow described here.
+
 ### Identity service configuration
 
 - `COMM_JSONCONFIG_secrets_user_credentials`: Credentials for authenticating against the Identity service. Replace `<user>` and `<password>` with any values. In the future, they will need to be actual credentials registered with the Identity service.
diff --git a/keyserver/src/keyserver.js b/keyserver/src/keyserver.js
--- a/keyserver/src/keyserver.js
+++ b/keyserver/src/keyserver.js
@@ -88,17 +88,22 @@
   const isCPUProfilingEnabled = process.env.KEYSERVER_CPU_PROFILING_ENABLED;
   const areEndpointMetricsEnabled =
     process.env.KEYSERVER_ENDPOINT_METRICS_ENABLED;
+  const isPrimaryNode = process.env.COMM_NODE_ROLE
+    ? process.env.COMM_NODE_ROLE === 'primary'
+    : true;
 
   if (cluster.isMaster) {
-    const didMigrationsSucceed: boolean = await migrate();
-    if (!didMigrationsSucceed) {
-      // The following line uses exit code 2 to ensure nodemon exits
-      // in a dev environment, instead of restarting. Context provided
-      // in https://github.com/remy/nodemon/issues/751
-      process.exit(2);
+    if (isPrimaryNode) {
+      const didMigrationsSucceed: boolean = await migrate();
+      if (!didMigrationsSucceed) {
+        // The following line uses exit code 2 to ensure nodemon exits
+        // in a dev environment, instead of restarting. Context provided
+        // in https://github.com/remy/nodemon/issues/751
+        process.exit(2);
+      }
     }
 
-    if (shouldDisplayQRCodeInTerminal) {
+    if (shouldDisplayQRCodeInTerminal && isPrimaryNode) {
       try {
         const aes256Key = crypto.randomBytes(32).toString('hex');
         const ed25519Key = await getContentSigningKey();
@@ -131,12 +136,15 @@
         // commServicesAccessToken. In the future, this will be necessary for
         // many keyserver operations.
         const identityInfo = await verifyUserLoggedIn();
-        // We don't await here, as Tunnelbroker communication is not needed for
-        // normal keyserver behavior yet. In addition, this doesn't return
-        // information useful for other keyserver functions.
-        ignorePromiseRejections(createAndMaintainTunnelbrokerWebsocket(null));
-        if (process.env.NODE_ENV === 'development') {
-          await createAuthoritativeKeyserverConfigFiles(identityInfo.userId);
+
+        if (isPrimaryNode) {
+          // We don't await here, as Tunnelbroker communication is not needed
+          // for normal keyserver behavior yet. In addition, this doesn't
+          // return information useful for other keyserver functions.
+          ignorePromiseRejections(createAndMaintainTunnelbrokerWebsocket(null));
+          if (process.env.NODE_ENV === 'development') {
+            await createAuthoritativeKeyserverConfigFiles(identityInfo.userId);
+          }
         }
       } catch (e) {
         console.warn(