What to do if you lose your Mastodon instance’s environment variables file

One of the most important files loaded when running a Mastodon instance is your environment variables file commonly named .env.production. This file includes several secrets that if lost will break your ability to easily migrate your instance (assuming you have a recent files/database backup). This post explains how to recover your instance so you don’t have to start over and upset your users.

Follow all of the normal steps to migrate over to a new server

I’m assuming that if you’ve lost this file you are restoring from backups. Follow the steps in the Mastodon Documentation to reinstall Mastodon and import the database/files. Before you can start any sort of recovery effort you’ll need to cover your bases. This will be the easiest part of disaster recovery.

Disable two-factor-auth for all users

Since you’ve lost your cryptographic secrets two-factor-auth tokens are now invalid. You will have to tell your users what happened and ask them to remove their account from their authenticator apps and to add it back by enabling two-factor-auth again in account settings. Unfortunately there is not an easy command to do this. Rather you will have to drop into a postgresql console and overwrite the users table. Be careful with this console and take a backup first. If anything goes wrong you’ll want to be able to recover.

sudo -u postgres psql mastodon_production

UPDATE users SET encrypted_opt_secret='';
UPDATE users SET encrypted_otp_secret_iv='';
UPDATE users SET encrypted_otp_secret_salt='';
UPDATE users SET otp_required_for_login=false;

Backup the environment variables file

Once your service is recovered make sure to backup your environment variables file so you don’t have this problem again. Within a few hours your instance should be back up and running as normal without any major disruptions again.