What is the use of secret_key_base in rails 4

ruby-on-rails ruby ruby-on-rails-4 ruby-on-rails-5 ruby-on-rails-6
Mani David picture Mani David · Aug 21, 2014 · Viewed 60.8k times · Source

I am new to Rails 4, and do not understand the use of secret_key_base under config/secrets.yml in Rails 4. Can you please explain this concept?

Also, when I am working in the production environment, I am prompted to set the secret_key with devise.rb, config.secret_key, and secret_key_base. However, I can generate a new secret using the rake secret command.

What is the difference between development and production environments?

How is it matching the newly generated secret_key when I add it with secret_key_base every time I generate?

How is it securing the application with other servers?

Answer

Andrey Deineko picture Andrey Deineko · Aug 21, 2014

The secret_token.rb file's content includes a long randomized string which is used to verify the integrity of signed cookies (such as user sessions when people are signed into your web app).

Documentation says:

Use your existing secret_key_base from the secret_token.rb initializer to set the SECRET_KEY_BASE environment variable for whichever users run the Rails app in production mode. Alternately, you can simply copy the existing secret_key_base from the secret_token.rb initializer to secrets.yml under the production section, replacing <%= ENV["SECRET_KEY_BASE"] %>.

Since it is important file, and you can't put it to .gitignore, it is treated to be a good practice to use env variable to store secret_key_base value:

create .env or .powenv file and store it as:

export SECRET_TOKEN="9489b3eee4eccf317ed77407553e8adc97baca7c74dc7ee33cd93e4c8b69477eea66eaedeb18af0be2679887c7c69c0a28c0fded0a71ea472a8c4laalal19cb"

And then in config/initializers/secret_token.rb 

YourAppName::Application.config.secret_key_base = if Rails.env.development? or Rails.env.test? # generate simple key for test and development environments
  ('a' * 30) # should be at least 30 chars long
else
  ENV['SECRET_TOKEN']
end

This article is (a bit old and) long but really full of useful info on the topic.

UPDATE 04.05.15

Starting from Rails 4.2 there is no longer secret_token.rb file. By new convention there is a config/secrets.yml file aimed to store application's secrets.

Have a read on how to upgrade an existing app to 4.2.x according to innovations.

Technically the purpose of secrect_key_base is to be the secret input for the application’s key_generator method (check Rails.application.key_generator).

The application’s key_generator, and thus secret_key_base, are used by three core features within the Rails framework:

  • Deriving keys for encrypted cookies which are accessible via cookies.encrypted.
  • Deriving the key for HMAC signed cookies which are accessible via cookies.signed.
  • Deriving keys for all of the application’s named message_verifier instances.

Check out more on each of the three in the article by @michaeljcoyne.

Related questions

rescue_from ActionController::RoutingError in Rails 4

I've got the following error: ActionController::RoutingError (No route matches [GET] "/images/favicon.ico") I want to show error404 page for links that are not existing. How can I achieve that?

Read More
Change the default value for table column with migration

I try to change the default column value from false to true. But when I run rake db:migrate VERSION=904984092840298 I got the following ERROR. StandardError: An error has occurred, this and all later migrations canceled: PG::InvalidTextRepresentation: ERROR: invalid …

Read More
How to get a random number in Ruby

How do I generate a random number between 0 and n?

Read More