diff --git a/config/configuration.yml.example b/config/configuration.yml.example
index 5dbb7170c..87fc5f72b 100644
--- a/config/configuration.yml.example
+++ b/config/configuration.yml.example
@@ -138,7 +138,8 @@ default:
   # scm_stderr_log_file: /var/log/redmine_scm_stderr.log
   scm_stderr_log_file:
 
-  # Key used to encrypt sensitive data in the database (SCM and LDAP passwords).
+  # Key used to encrypt sensitive data in the database (SCM and LDAP passwords,
+  # and TOTP (two-factor authentication) secret keys).
   # If you don't want to enable data encryption, just leave it blank.
   # WARNING: losing/changing this key will make encrypted data unreadable.
   #
diff --git a/lib/tasks/ciphering.rake b/lib/tasks/ciphering.rake
index 07e96b5d6..fb97cde30 100644
--- a/lib/tasks/ciphering.rake
+++ b/lib/tasks/ciphering.rake
@@ -20,7 +20,8 @@ namespace :db do
   desc 'Encrypts SCM and LDAP passwords in the database.'
   task :encrypt => :environment do
     unless (Repository.encrypt_all(:password) &&
-      AuthSource.encrypt_all(:account_password))
+      AuthSource.encrypt_all(:account_password) &&
+      User.encrypt_all(:twofa_totp_key))
       raise "Some objects could not be saved after encryption, update was rolled back."
     end
   end
@@ -28,7 +29,8 @@ namespace :db do
   desc 'Decrypts SCM and LDAP passwords in the database.'
   task :decrypt => :environment do
     unless (Repository.decrypt_all(:password) &&
-      AuthSource.decrypt_all(:account_password))
+      AuthSource.decrypt_all(:account_password) &&
+      User.decrypt_all(:twofa_totp_key))
       raise "Some objects could not be saved after decryption, update was rolled back."
     end
   end