diff --git a/.env.production.sample b/.env.production.sample
index 87ea031c4c..3dd66abae4 100644
--- a/.env.production.sample
+++ b/.env.production.sample
@@ -50,6 +50,7 @@ OTP_SECRET=
 # Must be available (and set to same values) for all server processes
 # These are private/secret values, do not share outside hosting environment
 # Use `bin/rails db:encryption:init` to generate fresh secrets
+# Do not change these secrets once in use, as this would cause data loss and other issues
 # ------------------
 # ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=
 # ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=
diff --git a/config/initializers/active_record_encryption.rb b/config/initializers/active_record_encryption.rb
index c53f16d4d1..9ae28e401b 100644
--- a/config/initializers/active_record_encryption.rb
+++ b/config/initializers/active_record_encryption.rb
@@ -10,7 +10,9 @@
     ENV[key] = SecureRandom.hex(64)
   end
 
-  value = ENV.fetch(key) do
+  value = ENV.fetch(key, '')
+
+  if value.blank?
     abort <<~MESSAGE
 
       Mastodon now requires that these variables are set: