diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
index f86653f3ead..38a541485e5 100644
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@@ -588,7 +588,7 @@ in {
           the DB. If you change or lose this key you will be unable to
           access variables stored in database.
 
-          Make sure the secret is at least 30 characters and all random,
+          Make sure the secret is at least 32 characters and all random,
           no regular words or you'll be exposed to dictionary attacks.
 
           This should be a string, not a nix path, since nix paths are
@@ -604,7 +604,7 @@ in {
           the DB. If you change or lose this key you will be unable to
           access variables stored in database.
 
-          Make sure the secret is at least 30 characters and all random,
+          Make sure the secret is at least 32 characters and all random,
           no regular words or you'll be exposed to dictionary attacks.
 
           This should be a string, not a nix path, since nix paths are
@@ -620,7 +620,7 @@ in {
           tokens. If you change or lose this key, users which have 2FA
           enabled for login won't be able to login anymore.
 
-          Make sure the secret is at least 30 characters and all random,
+          Make sure the secret is at least 32 characters and all random,
           no regular words or you'll be exposed to dictionary attacks.
 
           This should be a string, not a nix path, since nix paths are
diff --git a/pkgs/applications/version-management/gitlab/default.nix b/pkgs/applications/version-management/gitlab/default.nix
index 5d2b923628b..89a2ac6ec95 100644
--- a/pkgs/applications/version-management/gitlab/default.nix
+++ b/pkgs/applications/version-management/gitlab/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchurl, fetchFromGitLab, bundlerEnv
+{ stdenv, lib, fetchurl, fetchpatch, fetchFromGitLab, bundlerEnv
 , ruby, tzdata, git, nettools, nixosTests, nodejs, openssl
 , gitlabEnterprise ? false, callPackage, yarn
 , fixup_yarn_lock, replace, file
@@ -125,6 +125,15 @@ stdenv.mkDerivation {
   patches = [
     # Change hardcoded paths to the NixOS equivalent
     ./remove-hardcoded-locations.patch
+
+    # Use the exactly 32 byte long version of db_key_base with
+    # aes-256-gcm, see
+    # https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
+    (fetchpatch {
+      name = "secrets_db_key_base_length.patch";
+      url = "https://gitlab.com/gitlab-org/gitlab/-/commit/dea620633d446ca0f53a75674454ff0dd4bd8f99.patch";
+      sha256 = "19m4z4np3sai9kqqqgabl44xv7p8lkcyqr6s5471axfxmf9m2023";
+    })
   ];
 
   postPatch = ''