diff --git a/.env.production.sample b/.env.production.sample
index 87ea031c4ce5353f2d04de1420defa70bb794f07..3dd66abae4fc061170d127dee9d08d2b98342e92 100644
--- a/.env.production.sample
+++ b/.env.production.sample
@@ -50,6 +50,7 @@ OTP_SECRET=
 # Must be available (and set to same values) for all server processes
 # These are private/secret values, do not share outside hosting environment
 # Use `bin/rails db:encryption:init` to generate fresh secrets
+# Do not change these secrets once in use, as this would cause data loss and other issues
 # ------------------
 # ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=
 # ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=
diff --git a/config/initializers/active_record_encryption.rb b/config/initializers/active_record_encryption.rb
index c53f16d4d14da14895c88f8c64caafef9b9e5cb0..9ae28e401bab4dd460b248fe6211e80336afa1f4 100644
--- a/config/initializers/active_record_encryption.rb
+++ b/config/initializers/active_record_encryption.rb
@@ -10,7 +10,9 @@
     ENV[key] = SecureRandom.hex(64)
   end
 
-  value = ENV.fetch(key) do
+  value = ENV.fetch(key, '')
+
+  if value.blank?
     abort <<~MESSAGE
 
       Mastodon now requires that these variables are set: