diff --git a/data_bags/credentials/mastodon.json b/data_bags/credentials/mastodon.json
index 90af0ab..b3444b3 100644
--- a/data_bags/credentials/mastodon.json
+++ b/data_bags/credentials/mastodon.json
@@ -1,93 +1,114 @@
 {
   "id": "mastodon",
+  "active_record_encryption_deterministic_key": {
+    "encrypted_data": "2ik8hqK7wrtxyC73DLI8FNezZiWp2rdjwaWZkTUFRj+iwvpSrGVEwMx6uxDI\nWa7zF3p/\n",
+    "iv": "XMp6wqwzStXZx+F3\n",
+    "auth_tag": "vloJOLqEcghfQXOYohVVlg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "active_record_encryption_key_derivation_salt": {
+    "encrypted_data": "Nq/rHayMYmT/82k3tJUKU8YTvDKUKLoK204aT0CMGZertZaAD3dtA9AkprrA\nPK0D9CdL\n",
+    "iv": "tn9C+igusYMH6GyM\n",
+    "auth_tag": "+ReZRNrfpl6ZDwYQpwm6dw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "active_record_encryption_primary_key": {
+    "encrypted_data": "UEDMuKHgZDBhpB9BwbPmtdmIDWHyS9/bSzaEbtTRvLcV8dGOE5q9lDVIIsQp\n2HE0c92p\n",
+    "iv": "tnB0pQ3OGDne3mN/\n",
+    "auth_tag": "kt234ms+bmcxJj/+FH/72Q==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
   "paperclip_secret": {
-    "encrypted_data": "VJn4Yd2N7qFV+nWXPjPA8Y2KEXL/gZs2gK5E3DZZc9ogFXV7RtpDtq+NKGJU\ndpR8ohtEZvkyC+iBkMAlnS1sSVKiLdQ1xXvbzkj04mYgjnLvwsZ19uVpBGwR\nt/DON7Bhe5Fw+OyrBQksqNcZQSpB9sMBfgA1IgCpdVGHQ8PmkMbFTaZZYcoF\n7gg3yUw5/0t3vRdL\n",
-    "iv": "X5atp/KaIurfln/u\n",
-    "auth_tag": "mVnBoUb5HwhXNYUddJbq8Q==\n",
+    "encrypted_data": "AlsnNTRF6GEyHjMHnC4VdzF4swMlppz/Gcp1xr0OuMEgQiOcW1oSZjDRZCRV\nmuGqZXZx64wqZyzTsJZ6ayCLsmWlPq6L21odHWyO+P/C5ubenSXnuCjpUn3/\nHs8WLX3kwVmqCRnVgDl2vEZ5H4XedSLr7R7YM7gQkM0UX4muMDWWnOTR8/x/\ni1ecwBY5RjdewwyR\n",
+    "iv": "RWiLePhFyPekYSl9\n",
+    "auth_tag": "sUq4ZX9CFKPbwDyuKQfNLQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "secret_key_base": {
-    "encrypted_data": "d0sNREFhzQEJhkRzielbCNBJOVAdfThv7zcYTZ1vFZ20i/mzB9GWW2nb+1yn\nNFjAq8wCLpLXn9n3FClE+WOqnAw0jwTlyScRM5lzjKI5SxHKkBQHGyFs2AF8\nqFjEvpiqxhjsc4kNOJGO8DdcyHuulXyaO9fJg8HDnU1ov1vSSuTc0ABKgycY\nMq/Xt10UXnhP8cPw\n",
-    "iv": "HFT7fdGQ2KRJ2NFy\n",
-    "auth_tag": "C55JT2msLQCoI+09VKf+Jw==\n",
+    "encrypted_data": "K5CmIXFa9mS4/dODBQAN9Bw0SFpbLiZAB8ewiYpkB8NDXP6X/BX8aDjW2Y4F\ncMvpFyiFldRBhrh1MSKTVYQEoJ3JhlNL9HCdPsAYbBEW70AuEBpHvOtD5OxH\nqgbH4Reuk6JX5AI8SwDD3zGrdT12mTFVNgSujzuZMvpi1Sro2HtRGAkjmnaa\nMGKrBV21O1CREJJg\n",
+    "iv": "/yMMmz1YtKIs5HSd\n",
+    "auth_tag": "WXgIVWjIdbMFlJhTD5J0JQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "otp_secret": {
-    "encrypted_data": "1iH7mUkaUzyn9dfDwMdiJ8X059qWSUO3DqivsOFfI1f44nMnzllaYPu6nh8O\nNLNCOzvsSAonhhaq1X+foOdyPIG2mGhE/juKveDD57/AdZAayHWsbsQlPC4l\nwdShz/ANrq0YZ/zOhpT2sZj1TZavW+S+JlxJFX2kP24D4dUzwG0vNj7522+Q\n9NAApJdUte1ZYF/b\n",
-    "iv": "00/vs5zTdoC19+pS\n",
-    "auth_tag": "3cjYqebMshnmWkQ3SdRcCQ==\n",
+    "encrypted_data": "OPLnYRySSIDOcVHy2A5V+pCrz9zVIPjdpAGmCdgQkXtJfsS9NzNtxOPwrXo6\nuQlV9iPjr1Y9ljGKYytbF0fPgAa5q6Z1oHMY9vOGs/LGKj8wHDmIvxQ+Gil1\nC+dZEePmqGaySlNSB/gNzcFIvjBH3mDxHJJe9hDxSv5miNS9l9f3UvQeLP2M\nU7/aHKagL9ZHOp/d\n",
+    "iv": "wqJBLdZhJ7M/KRG9\n",
+    "auth_tag": "dv5YyZszZCrRnTleaiGd4A==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "aws_access_key_id": {
-    "encrypted_data": "krcfpxOrAkwZR2GP4glTaFg2dw/COw8BO8I+KICqyl4bvpL5NrB9\n",
-    "iv": "paoDKp6EIU8bjxzF\n",
-    "auth_tag": "p6Pt/tz5dgGXzW5cO06nBg==\n",
+    "encrypted_data": "A1/gfcyrwT6i9W6aGTJ8pH4Dm4o8ACDxvooDroA/2N0szOiNyiYX\n",
+    "iv": "JNvf21KhdM3yoLGt\n",
+    "auth_tag": "2xaZql1ymPYuXuvXzT3ymA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "aws_secret_access_key": {
-    "encrypted_data": "aQySCT7gxeNiMMocq81KtIi+YzrZwMBeTd4LrRSN8iNEikWReJrrfagBwozy\n+Gfdw4bMGzY1dhF1Sl4=\n",
-    "iv": "R/hvvOvmqq/uoKbx\n",
-    "auth_tag": "QBJY/3+OprBXO/FSNwv2OQ==\n",
+    "encrypted_data": "T1tc01nACxhDgygKaiAq3LChGYSgmW8LAwr1aSxXmJ5D2NtypJDikiHrJbFZ\nfWFgm1qe4L8iD/k5+ro=\n",
+    "iv": "FDTPQQDLUMKW7TXx\n",
+    "auth_tag": "msY6PFFYhlwQ0X7gekSDiw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "ldap_bind_dn": {
-    "encrypted_data": "wDPABdL+DlXz2WWV4XwW20kM4EWPSwc/ajBmbdYMnjFau6c76CIBpbFhrFoj\n3mwDbHz8cgOnLNvozXSV4w6N7URCN/mWWTBHNhd3ppw=\n",
-    "iv": "8rQ0M4LT1HbCNpq9\n",
-    "auth_tag": "AuO5R6WCtd75TGJNfgFSCg==\n",
+    "encrypted_data": "C/YNROVyOxmR4O2Cy52TX41EKli2bCOMzwYD+6Hz/SiKkgidnKUHlvHlbTDq\nkWwlRDM2o8esOCKaEAGPNWcNc9IHlaSsfwhr4YWnwe0=\n",
+    "iv": "QCQF0+vH+//+nDxr\n",
+    "auth_tag": "a0PbyO/7wjufqH2acDCqmQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "ldap_password": {
-    "encrypted_data": "y0t8RuptVYiTKmUhaAWsC4c2ZzhQsYeVLeMPiQBn+Q==\n",
-    "iv": "mixYzDKkPSIDQ/l+\n",
-    "auth_tag": "DbLlZG7rlgBmyCdJ3nhSYA==\n",
+    "encrypted_data": "SqwKeiyzfvvZGqH5gi35BdW3W+Fo/AQQjso1Yfp2XA==\n",
+    "iv": "md2/etFJ1r/BKaYg\n",
+    "auth_tag": "OlCCOoYSD7ukdH2yWCd6KA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "smtp_user_name": {
-    "encrypted_data": "Ugc29HUFcirv6jOOlYNs9uvmhfwa2rG41im/MusCx0Vu0AZKcdy0krGi/kCZ\nKg==\n",
-    "iv": "ZlDK854w+vTNmeJe\n",
-    "auth_tag": "Nj95g0JMxrT419OLQIX26g==\n",
+    "encrypted_data": "0kzppmSSUg7lEyYnI5a0nf+xO0vSVx88rbxI+niIdzFOOBKSIL6uVHJ340dw\nMQ==\n",
+    "iv": "lQR77ETTtIIyaG1r\n",
+    "auth_tag": "smF2HRg8WdmD+MWwkT3TqA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "smtp_password": {
-    "encrypted_data": "D1TGjRfmM1ZeUmzwewlKXfQvvqTSzpzNlK5MKIU8dxbAH175UKn5qiemDEWe\nRYPe1LWT\n",
-    "iv": "D1OVfD5bMcefM5DP\n",
-    "auth_tag": "2E/q2gTbdXiLVnOMDeJv9w==\n",
+    "encrypted_data": "1i0m9qiZA/8k8fMKo+04uyndl1UhagtHweBFICIorWALkB68edjb8OhUDxv9\nTubiXYRC\n",
+    "iv": "IU2x4ips9HWmKoxi\n",
+    "auth_tag": "BZJTDfPBvt8cf6/MbKzUJQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "vapid_private_key": {
-    "encrypted_data": "+87bVrbd/XvWhZH1IYusc4Hla7ZZmylptAyJf48CMG/F3SMEO33OqW2I+UWh\nSkqbxai5+GaMhvZHB8U2Clod\n",
-    "iv": "HVhNdFQl0TvCcjsa\n",
-    "auth_tag": "EEQXuQ5keOHXmchhBh+Ixw==\n",
+    "encrypted_data": "+LmySMvzrV3z2z7BmJG9hpvkL06mGc87RG20XQhhdAJ2Z/5uMMjev2pUf7du\ntv2qvDJAimhkZajuDGL9R3eq\n",
+    "iv": "Mg7NhPl31O6Z4P+v\n",
+    "auth_tag": "qYWPInhgoWAjg0zQ+XXt5w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "vapid_public_key": {
-    "encrypted_data": "nBm1lXbn1+Kzol95+QSEjsUI/n7ObhdEqEyfYcVSP/LiLy57KOBQDu6CjSMz\n+PN9yEP4lOjtscqHS29jTC2vi3PSui9XpOFHRxFBnDuyKxczrnID2KlLCNRQ\n228G3VRgFIMAWMYKACgzUk0=\n",
-    "iv": "xHrVl+4JGkQbfUW3\n",
-    "auth_tag": "rfFoBMocq17YiDSlOCvWqw==\n",
+    "encrypted_data": "NOyc+Cech9qG2HhnhajDaJMWd1OU5Rp6hws6i4xF5mLPePMJ9mJTqzklkuMK\npYSEdtcxA3KmDt1HrFxfezYUc9xO9pvlm0BPA7XAFmF/PU7/AJbFqgPU6pX/\ntSDLSdFuMB3ky+cl4DJi+O4=\n",
+    "iv": "rgUglYiHB/mhqGha\n",
+    "auth_tag": "DEX7hdNsNLi/LIrMkdUe/Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_key_id": {
-    "encrypted_data": "pq0+VZhjoxzLuyY34f23wOmuks9Wevt8Wu6muKZAsZMSuU0iJvlRoK/65Qa0\n",
-    "iv": "QTxO+IfYcpI170ON\n",
-    "auth_tag": "4ZHva2iBYgDv6DyhMRRXzA==\n",
+    "encrypted_data": "rPVzrYYIbcM+ssVpdL6wpCTdzLIEKXke1+eMlPLMG2gPuoh+W3eO3nFGb/s2\n",
+    "iv": "/qI8F9cvnfKG7ZXE\n",
+    "auth_tag": "z1+MPdkO/+SCaag2ULelPg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_secret_key": {
-    "encrypted_data": "YMZqKtOXDPAME8IWWC+lO8TsxHMzawlbTju9z/Hcb5DnQAOy82QufTN90m73\n/xikUboAdKcA5YGn0mkm+Rt/ygVR6DFirYV3kwi2M3qyGVJifug=\n",
-    "iv": "9AwabheRFOgC8IKR\n",
-    "auth_tag": "iU2kkA1q8OsblN5jaZrWGQ==\n",
+    "encrypted_data": "RMnB9kZ+slbQXfpo0udYld6S1QqBxqM1YbszdLfSAdKK9I0J3Kmvh/CQ5Fbx\nyov6LClmsl1rjtH16r7cY32M4Woq+6miERdtecyDrrYkNHz0xkA=\n",
+    "iv": "pO7bm3aOtjuwYjG/\n",
+    "auth_tag": "SRvn4z1+Vd5VAGgjG64s+Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
diff --git a/nodes/mastodon-3.json b/nodes/mastodon-3.json
index 1cd9134..6f0e0fa 100644
--- a/nodes/mastodon-3.json
+++ b/nodes/mastodon-3.json
@@ -63,8 +63,6 @@
       "redisio::disable_os_default",
       "redisio::configure",
       "redisio::enable",
-      "nodejs::npm",
-      "nodejs::install",
       "backup::default",
       "logrotate::default"
     ],
diff --git a/site-cookbooks/kosmos-mastodon/attributes/default.rb b/site-cookbooks/kosmos-mastodon/attributes/default.rb
index a7c17ba..921f0f5 100644
--- a/site-cookbooks/kosmos-mastodon/attributes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb
@@ -1,5 +1,5 @@
 node.default["kosmos-mastodon"]["repo"]              = "https://gitea.kosmos.org/kosmos/mastodon.git"
-node.default["kosmos-mastodon"]["revision"]          = "production"
+node.default["kosmos-mastodon"]["revision"]          = "production-4.3"
 node.default["kosmos-mastodon"]["directory"]         = "/opt/mastodon"
 node.default["kosmos-mastodon"]["bind_ip"]           = "127.0.0.1"
 node.default["kosmos-mastodon"]["app_port"]          = 3000
diff --git a/site-cookbooks/kosmos-mastodon/recipes/default.rb b/site-cookbooks/kosmos-mastodon/recipes/default.rb
index 2f57789..7b4dd57 100644
--- a/site-cookbooks/kosmos-mastodon/recipes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb
@@ -3,7 +3,7 @@
 # Recipe:: default
 #
 
-node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_16.x"
+node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
 
 include_recipe "kosmos-nodejs"
 include_recipe "java"
@@ -71,11 +71,7 @@ package %w(build-essential imagemagick ffmpeg libxml2-dev libxslt1-dev file git
            curl pkg-config libprotobuf-dev protobuf-compiler libidn11
            libidn11-dev libjemalloc2 libpq-dev)
 
-npm_package "yarn" do
-  version "1.22.4"
-end
-
-ruby_version = "3.3.0"
+ruby_version = "3.3.5"
 
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
@@ -194,6 +190,9 @@ template "#{mastodon_path}/.env.#{rails_env}" do
   variables redis_url: node["kosmos-mastodon"]["redis_url"],
             domain: node["kosmos-mastodon"]["domain"],
             alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
+            active_record_encryption_deterministic_key: credentials["active_record_encryption_deterministic_key"],
+            active_record_encryption_key_derivation_salt: credentials["active_record_encryption_key_derivation_salt"],
+            active_record_encryption_primary_key: credentials["active_record_encryption_primary_key"],
             paperclip_secret: credentials['paperclip_secret'],
             secret_key_base: credentials['secret_key_base'],
             otp_secret: credentials['otp_secret'],
@@ -231,7 +230,7 @@ execute "yarn install" do
   environment deploy_env
   user mastodon_user
   cwd mastodon_path
-  command "yarn install --frozen-lockfile"
+  command "corepack prepare && yarn install --immutable"
 end
 
 execute "rake assets:precompile" do
diff --git a/site-cookbooks/kosmos-mastodon/templates/default/env.erb b/site-cookbooks/kosmos-mastodon/templates/default/env.erb
index 2178b2b..f42a53e 100644
--- a/site-cookbooks/kosmos-mastodon/templates/default/env.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/env.erb
@@ -12,6 +12,9 @@ LOCAL_HTTPS=true
 
 # Application secrets
 # Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=<%= @active_record_encryption_deterministic_key %>
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=<%= @active_record_encryption_key_derivation_salt %>
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=<%= @active_record_encryption_primary_key %>
 PAPERCLIP_SECRET=<%= @paperclip_secret %>
 SECRET_KEY_BASE=<%= @secret_key_base %>
 OTP_SECRET=<%= @otp_secret %>