diff --git a/services/keycloak/mas-secrets-ensure-job.yaml b/services/keycloak/mas-secrets-ensure-job.yaml
index 60d6d15..88a4ef4 100644
--- a/services/keycloak/mas-secrets-ensure-job.yaml
+++ b/services/keycloak/mas-secrets-ensure-job.yaml
@@ -8,7 +8,7 @@ metadata:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-secrets-ensure-8
+  name: mas-secrets-ensure-9
   namespace: sso
 spec:
   backoffLimit: 0
@@ -64,7 +64,7 @@ spec:
               fi
 
               printf '%s' "$CLIENT_SECRET" > /work/keycloak_client_secret
-              openssl rand -base64 32 > /work/encryption
+              openssl rand -hex 32 > /work/encryption
               openssl rand -hex 32 > /work/matrix_shared_secret
               openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /work/rsa_key >/dev/null 2>&1
               chmod 0644 /work/*
@@ -89,14 +89,19 @@ spec:
           args:
             - |
               set -euo pipefail
+              current=""
               if kubectl -n comms get secret mas-secrets-runtime >/dev/null 2>&1; then
-                exit 0
+                current="$(kubectl -n comms get secret mas-secrets-runtime -o jsonpath='{.data.encryption}' | base64 -d 2>/dev/null || true)"
+                if printf '%s' "${current}" | grep -Eq '^[0-9a-fA-F]{64}$'; then
+                  exit 0
+                fi
               fi
               kubectl -n comms create secret generic mas-secrets-runtime \
                 --from-file=encryption=/work/encryption \
                 --from-file=matrix_shared_secret=/work/matrix_shared_secret \
                 --from-file=keycloak_client_secret=/work/keycloak_client_secret \
-                --from-file=rsa_key=/work/rsa_key >/dev/null
+                --from-file=rsa_key=/work/rsa_key \
+                --dry-run=client -o yaml | kubectl -n comms apply -f - >/dev/null
           volumeMounts:
             - name: work
               mountPath: /work