Skip to main content

Rails Master Key

Description

General

  • Documentation: https://guides.rubyonrails.org/security.html#custom-credentials
  • Summary: Ruby on Rails is a web framework written in Ruby. By default, Rails encrypt secrets before storing them in a credentials.yml.enc file. This file contains at least the secret_key_base of the application that is used to encrypt cookies as well as any other secret useful to the application such as API keys. To encrypt the credentials.yml.enc file, Rails uses a key stored in a master.key file. This detector focuses on catching this master key.

Revoke the secret

If it does not exist yet, the master.key file is created when the credentials file is edited with the command bin/rails credentials:edit. This is a good way to generate a new master key.

Check for suspicious activity

Details for Rails master key assignment

  • Family: PrivateKey

  • Category: Private key

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: very rare

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
banlist_extensions: []
banlist_filenames:
- ^(.*/|)config/credentials/[^/]*(?<!test)(?<!dev)(?<!development)\.key$
- ^(.*/|)master.key$
check_binaries: false
include_default_banlist_extensions: true
ban_markup: true
- type: ContentWhitelistPreValidator
patterns:
- rails_master_key

Examples

- text: |
RAILS_MASTER_KEY = efa44cc0e89b44d78a8d44067cf1962c
secret_key: efa44cc0e89b44d78a8d44067cf1962c

- text: |
RAILS_MASTER_KEY='29ee8ed0227c4ef18127081a482c43c6'
secret_key: 29ee8ed0227c4ef18127081a482c43c6

- text: |
RAILS_MASTER_KEY: "92dd4344e28e4b2383e8dbdaf2575af5"
secret_key: 92dd4344e28e4b2383e8dbdaf2575af5

- text: |
RAILS_MASTER_KEY="c8fad09976234d4db5c382d88ffbd598"
secret_key: c8fad09976234d4db5c382d88ffbd598

Details for Rails secret key base master key

  • Family: PrivateKey

  • Category: Private key

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 3.68

  • Prefixed: False

  • PreValidators:

- type: FilenameWhitelistPreValidator
whitelist_extensions: []
whitelist_filenames: []
whitelist_filepaths:
- ^(.*/|)master.key$
- ^(.*/|)config/credentials/[^/]*(?<!test)(?<!dev)(?<!development)\.key$

Examples

- text: 127038aa5eb2406d6a8cdf2c3de55341
secret_key: 127038aa5eb2406d6a8cdf2c3de55341

- text: 127038aa5eb2406d6a8cdf2c3de55341
secret_key: 127038aa5eb2406d6a8cdf2c3de55341
# Skip this one because we can't detect it with ggshield
skip_sample_secrets: true

- text: 243438AE2EF6007F6A8BAB5D8BB54326
secret_key: 243438AE2EF6007F6A8BAB5D8BB54326
# Skip this one because we can't detect it with ggshield
skip_sample_secrets: true

- text: 243438AE2EF6007F6A8BAB5D8BB54326
secret_key: 243438AE2EF6007F6A8BAB5D8BB54326

How can I help you ?