method

secret_key_base

rails latest stable - Class: Rails::Application

secret_key_base()

public

The secret_key_base is used as the input secret to the application’s key generator, which in turn is used to create all ActiveSupport::MessageVerifier and ActiveSupport::MessageEncryptor instances, including the ones that sign and encrypt cookies.

In development and test, this is randomly generated and stored in a temporary file in tmp/local_secret.txt.

You can also set ENV["SECRET_KEY_BASE_DUMMY"] to trigger the use of a randomly generated secret_key_base that’s stored in a temporary file. This is useful when precompiling assets for production as part of a build step that otherwise does not need access to the production secrets.

Dockerfile example: RUN SECRET_KEY_BASE_DUMMY=1 bundle exec rails assets:precompile.

In all other environments, we look for it first in ENV["SECRET_KEY_BASE"], then credentials.secret_key_base, and finally secrets.secret_key_base. For most applications, the correct place to store it is in the encrypted credentials file.

# File railties/lib/rails/application.rb, line 478
    def secret_key_base
      if Rails.env.local? || ENV["SECRET_KEY_BASE_DUMMY"]
        config.secret_key_base ||= generate_local_secret
      else
        validate_secret_key_base(
          ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || begin
            secret_skb = secrets_secret_key_base

            if secret_skb.equal?(config.secret_key_base)
              config.secret_key_base
            else
              Rails.deprecator.warn(<<~MSG.squish)
                Your `secret_key_base` is configured in `Rails.application.secrets`,
                which is deprecated in favor of `Rails.application.credentials` and
                will be removed in Rails 7.2.
              MSG

              secret_skb
            end
          end
        )
      end
    end

secret_key_base

Related methods