diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
index df19efb55fd..33163d9789b 100644
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@@ -41,6 +41,11 @@ let
       namespace: resque:gitlab
   '';
 
+  secretsYml = ''
+    production:
+      db_key_base: ${cfg.secrets.db_key_base}
+  '';
+
   gitlabConfig = {
     # These are the default settings from config/gitlab.example.yml
     production = flip recursiveUpdate cfg.extraConfig {
@@ -313,6 +318,19 @@ in {
         };
       };
 
+      secrets.db_key_base = mkOption {
+        type = types.str;
+        example = "";
+        description = ''
+          The db_key_base secrets is used to encrypt variables in the DB. If
+          you change or lose this key you will be unable to access variables
+          stored in database.
+
+          Make sure the secret is at least 30 characters and all random,
+          no regular words or you'll be exposed to dictionary attacks.
+        '';
+      };
+
       extraConfig = mkOption {
         type = types.attrs;
         default = {};
@@ -467,6 +485,7 @@ in {
         # JSON is a subset of YAML
         ln -fs ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)} ${cfg.statePath}/config/gitlab.yml
         ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.statePath}/config/database.yml
+        ln -fs ${pkgs.writeText "secrets.yml" secretsYml} ${cfg.statePath}/config/secrets.yml
         ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.statePath}/config/unicorn.rb
 
         chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}/
diff --git a/nixos/modules/services/misc/gitlab.xml b/nixos/modules/services/misc/gitlab.xml
index a8147b3a74f..83f715a50b4 100644
--- a/nixos/modules/services/misc/gitlab.xml
+++ b/nixos/modules/services/misc/gitlab.xml
@@ -62,6 +62,7 @@ services.gitlab = {
     address = "localhost";
     port = 25;
   };
+  secrets.db_key_base = "ei3eeP1ohsh0uu3ad4YeeMeeheengah3AiZee2ohl4Ooj5mie4Ohl0vishoghaes";
   extraConfig = {
     gitlab = {
       email_from = "gitlab-no-reply@example.com";
@@ -74,6 +75,12 @@ services.gitlab = {
 </programlisting>
 </para>
 
+<para>If you're setting up a new Gitlab instance, generate a new
+<literal>db_key_base</literal> secret to encrypt sensible data in the
+database. If you're restoring an existing Gitlab instance, you must
+specify the <literal>db_key_base</literal> secret from
+<literal>config/secrets.yml</literal> in your Gitlab state folder.</para>
+
 <para>Refer to <xref linkend="ch-options" /> for all available configuration
 options for the <literal>services.gitlab</literal> module.</para>
 
diff --git a/pkgs/applications/version-management/gitlab/default.nix b/pkgs/applications/version-management/gitlab/default.nix
index 19ba21e9e76..453bae3613c 100644
--- a/pkgs/applications/version-management/gitlab/default.nix
+++ b/pkgs/applications/version-management/gitlab/default.nix
@@ -70,6 +70,7 @@ stdenv.mkDerivation rec {
       SKIP_STORAGE_VALIDATION=true \
       rake assets:precompile RAILS_ENV=production
     mv config/gitlab.yml config/gitlab.yml.example
+    rm config/secrets.yml
     mv config config.dist
   '';