diff --git a/app/models/concerns/token_authenticatable_strategies/encrypted.rb b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
index ab64dfca820fb48c7ff39e651f8abb7cf796ff19..c76cdc3bb908d31503f72017679abb567104166e 100644
--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -25,6 +25,9 @@ module TokenAuthenticatableStrategies
       #
       # In that case we are using insecure strategy, but this should only happen
       # in tests, because otherwise `encrypted_field` is going to exist.
+      #
+      # Another use case is when we are caching resources / columns, like we do
+      # in case of ApplicationSetting.
 
       return super if instance.has_attribute?(encrypted_field)
 
diff --git a/lib/gitlab/background_migration/models/encrypt_columns/settings.rb b/lib/gitlab/background_migration/models/encrypt_columns/settings.rb
index 578d2ee7fbf99af32474afb697e24bce5733a2a5..7caed7f77aaf1a02de12900480b18d09ef38b44c 100644
--- a/lib/gitlab/background_migration/models/encrypt_columns/settings.rb
+++ b/lib/gitlab/background_migration/models/encrypt_columns/settings.rb
@@ -9,10 +9,15 @@ module Gitlab
         #
         class Settings < ActiveRecord::Base
           include ::EachBatch
+          include ::CacheableAttributes
 
           self.table_name = 'application_settings'
           self.inheritance_column = :_type_disabled
 
+          after_commit do
+            ApplicationSetting.expire
+          end
+
           def runners_registration_token=(value)
             self.runners_registration_token_encrypted =
               ::Gitlab::CryptoHelper.aes256_gcm_encrypt(value)