Add further warnings about encryption secrets (#32476)

config/initializers/active_record_encryption.rb

@@ -20,6 +20,7 @@
         - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
 
       Run `bin/rails db:encryption:init` to generate new secrets and then assign the environment variables.
+      Do not change the secrets once they are set, as doing so may cause data loss and other issues that will be difficult or impossible to recover from.
     MESSAGE
   end
 

lib/tasks/db.rake

@@ -7,6 +7,17 @@ namespace :db do
   namespace :encryption do
     desc 'Generate a set of keys for configuring Active Record encryption in a given environment'
     task :init do # rubocop:disable Rails/RakeEnvironment
+      if %w(
+        ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+        ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
+        ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+      ).any? { |key| ENV.key?(key) }
+        pastel = Pastel.new
+        puts pastel.red(<<~MSG)
+          WARNING: It looks like encryption secrets have already been set. Please ensure you are not changing secrets for a Mastodon installation that already uses them, as this will cause data loss and other issues that are difficult to recover from.
+        MSG
+      end
+
       puts <<~MSG
         Add the following secret environment variables to your Mastodon environment (e.g. .env.production), ensure they are shared across all your nodes and do not change them after they are set:#{' '}