diff --git a/start.sh b/start.sh
index a79dc36..f8d6c18 100755
--- a/start.sh
+++ b/start.sh
@@ -47,6 +47,17 @@ fi
 
 rm -f /run/mastodon/Gemfile.lock && cp /app/code/Gemfile.lock.original /run/mastodon/Gemfile.lock
 
+# generate new secrets
+if ! grep "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY" /app/data/env.production; then
+    echo "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=$(openssl rand -hex 16)" >> /app/data/env.production
+fi
+if ! grep "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT" /app/data/env.production; then
+    echo "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=$(openssl rand -hex 16)" >> /app/data/env.production
+fi
+if ! grep "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY" /app/data/env.production; then
+    echo "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=$(openssl rand -hex 16)" >> /app/data/env.production
+fi
+
 if grep -q "^SECRET_KEY_BASE=$" /app/data/env.production; then
     echo "==> Generating secrets"
     export RANDFILE=/tmp/.rnd