Skip to main content

Rails Master Key

Description#

General#

  • Documentation: https://guides.rubyonrails.org/security.html#custom-credentials
  • Summary: Ruby on Rails is a web framework written in Ruby. By default, Rails encrypt secrets before storing them in a credentials.yml.enc file. This file contains at least the secret_key_base of the application that is used to encrypt cookies as well as any other secret useful to the application such as API keys. To encrypt the credentials.yml.enc file, Rails uses a key stored in a master.key file. This detector focuses on catching this master key.

Revoke the secret#

If it does not exist yet, the master.key file is created when the credentials file is edited with the command bin/rails credentials:edit. This is a good way to generate a new master key.

Check for suspicious activity#

Details for Rails secret key base master key#

  • Family: PrivateKey

  • Category: Private key

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 7.7

  • Prefixed: False

  • PreValidators:

- type: FilenameWhitelistPreValidator  whitelist_extensions: []  whitelist_filenames: []  whitelist_filepaths:  - ^(.*/|)master.key$  - ^(.*/|)config/credentials/[^/]*(?<!test)(?<!dev)(?<!development)\.key$

Examples#

- text: 123458bb7ef6402f6a8bcf5d3be54321  filename: config/master.key  secret_key: 123458bb7ef6402f6a8bcf5d3be54321
- text: 123458bb7ef6402f6a8bcf5d3be54321  filename: config/credentials/prod.key  secret_key: 123458bb7ef6402f6a8bcf5d3be54321
- text: 123458BB7EF6402F6A8BCF5D3BE54321  filename: some/file/path/config/credentials/prod.key  secret_key: 123458BB7EF6402F6A8BCF5D3BE54321
- text: 123458BB7EF6402F6A8BCF5D3BE54321  filename: master.key  secret_key: 123458BB7EF6402F6A8BCF5D3BE54321