diff --git a/cmd/generate.go b/cmd/generate.go
index 4ab10da22a..806946244b 100644
--- a/cmd/generate.go
+++ b/cmd/generate.go
@@ -70,7 +70,7 @@ func runGenerateInternalToken(c *cli.Context) error {
 }
 
 func runGenerateLfsJwtSecret(c *cli.Context) error {
-	_, jwtSecretBase64, err := generate.NewJwtSecretBase64()
+	_, jwtSecretBase64, err := generate.NewJwtSecret()
 	if err != nil {
 		return err
 	}
diff --git a/modules/generate/generate.go b/modules/generate/generate.go
index ee3c76059b..df3e2474f9 100644
--- a/modules/generate/generate.go
+++ b/modules/generate/generate.go
@@ -38,22 +38,14 @@ func NewInternalToken() (string, error) {
 	return internalToken, nil
 }
 
-// NewJwtSecret generates a new value intended to be used for JWT secrets.
-func NewJwtSecret() ([]byte, error) {
+// NewJwtSecret generates a new base64 encoded value intended to be used for JWT secrets.
+func NewJwtSecret() ([]byte, string, error) {
 	bytes := make([]byte, 32)
-	_, err := io.ReadFull(rand.Reader, bytes)
-	if err != nil {
-		return nil, err
-	}
-	return bytes, nil
-}
-
-// NewJwtSecretBase64 generates a new base64 encoded value intended to be used for JWT secrets.
-func NewJwtSecretBase64() ([]byte, string, error) {
-	bytes, err := NewJwtSecret()
+	_, err := rand.Read(bytes)
 	if err != nil {
 		return nil, "", err
 	}
+
 	return bytes, base64.RawURLEncoding.EncodeToString(bytes), nil
 }
 
diff --git a/modules/setting/lfs.go b/modules/setting/lfs.go
index a5ea537cef..7ab90669e7 100644
--- a/modules/setting/lfs.go
+++ b/modules/setting/lfs.go
@@ -64,7 +64,7 @@ func loadLFSFrom(rootCfg ConfigProvider) error {
 	LFS.JWTSecretBase64 = loadSecret(rootCfg.Section("server"), "LFS_JWT_SECRET_URI", "LFS_JWT_SECRET")
 	LFS.JWTSecretBytes, err = util.Base64FixedDecode(base64.RawURLEncoding, []byte(LFS.JWTSecretBase64), 32)
 	if err != nil {
-		LFS.JWTSecretBytes, LFS.JWTSecretBase64, err = generate.NewJwtSecretBase64()
+		LFS.JWTSecretBytes, LFS.JWTSecretBase64, err = generate.NewJwtSecret()
 		if err != nil {
 			return fmt.Errorf("error generating JWT Secret for custom config: %v", err)
 		}
diff --git a/modules/setting/oauth2.go b/modules/setting/oauth2.go
index 10cadf03dd..4bc0bb88c8 100644
--- a/modules/setting/oauth2.go
+++ b/modules/setting/oauth2.go
@@ -131,12 +131,11 @@ func loadOAuth2From(rootCfg ConfigProvider) {
 
 	if InstallLock {
 		if _, err := util.Base64FixedDecode(base64.RawURLEncoding, []byte(OAuth2.JWTSecretBase64), 32); err != nil {
-			key, err := generate.NewJwtSecret()
+			_, OAuth2.JWTSecretBase64, err = generate.NewJwtSecret()
 			if err != nil {
 				log.Fatal("error generating JWT secret: %v", err)
 			}
 
-			OAuth2.JWTSecretBase64 = base64.RawURLEncoding.EncodeToString(key)
 			saveCfg, err := rootCfg.PrepareSaving()
 			if err != nil {
 				log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
diff --git a/routers/install/install.go b/routers/install/install.go
index cb7818bd33..4adda53e69 100644
--- a/routers/install/install.go
+++ b/routers/install/install.go
@@ -413,7 +413,7 @@ func SubmitInstall(ctx *context.Context) {
 		cfg.Section("server").Key("LFS_START_SERVER").SetValue("true")
 		cfg.Section("lfs").Key("PATH").SetValue(form.LFSRootPath)
 		var lfsJwtSecret string
-		if _, lfsJwtSecret, err = generate.NewJwtSecretBase64(); err != nil {
+		if _, lfsJwtSecret, err = generate.NewJwtSecret(); err != nil {
 			ctx.RenderWithErr(ctx.Tr("install.lfs_jwt_secret_failed", err), tplInstall, &form)
 			return
 		}