Skip to main content

Rails Master Key

Description#

General#

  • Documentation: https://guides.rubyonrails.org/security.html#custom-credentials
  • Summary: Ruby on Rails is a web framework written in Ruby. By default, Rails encrypt secrets before storing them in a credentials.yml.enc file. This file contains at least the secret_key_base of the application that is used to encrypt cookies as well as any other secret useful to the application such as API keys. To encrypt the credentials.yml.enc file, Rails uses a key stored in a master.key file. This detector focuses on catching this master key.

Revoke the secret#

If it does not exist yet, the master.key file is created when the credentials file is edited with the command bin/rails credentials:edit. This is a good way to generate a new master key.

Check for suspicious activity#

Details for Rails secret key base master key#

  • Family: PrivateKey

  • Category: Private key

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 7.7

  • Prefixed: False

  • PreValidators:

- type: FilenameWhitelistPreValidator  whitelist_extensions: []  whitelist_filenames: []  whitelist_filepaths:  - ^(.*/|)config/credentials/[^/]*(?<!test)(?<!dev)(?<!development)\.key$  - ^(.*/|)master.key$

Examples#

- text: 127038aa5eb2406d6a8cdf2c3de55341  secret_key: 127038aa5eb2406d6a8cdf2c3de55341
- text: 127038aa5eb2406d6a8cdf2c3de55341  secret_key: 127038aa5eb2406d6a8cdf2c3de55341  # Skip this one because we can't detect it with ggshield  skip_sample_secrets: true
- text: 243438AE2EF6007F6A8BAB5D8BB54326  secret_key: 243438AE2EF6007F6A8BAB5D8BB54326  # Skip this one because we can't detect it with ggshield  skip_sample_secrets: true
- text: 243438AE2EF6007F6A8BAB5D8BB54326  secret_key: 243438AE2EF6007F6A8BAB5D8BB54326