Skip to content

Rails Master Key

Service Name: Ruby on Rails

Service Description: Ruby on Rails is an open-source web application framework written in Ruby. The Rails Master Key is a critical secret used to encrypt and decrypt credentials in Rails applications, particularly for managing sensitive configuration values like API keys and passwords.

Service Address: https://rubyonrails.org/

Validation Type: Unavailable

IP Allow list: Does not exist

Secret Access Scope: Grants access to decrypt encrypted credentials.yml.enc file in Rails applications, which typically contains sensitive configuration values like database passwords, API keys, and other secrets.

Secret Revokement URL: Does not exist (requires manual regeneration)

Secret Example: 7c3e856e8f7a1cf4f95e2160f3b9a5d7

Suspicious Activity Investigation Instructions:

  • Check Git repositories for accidental commits of the master.key file
  • Review application logs for unusual access patterns or deployments
  • Examine server access logs for unauthorized access to the application
  • Monitor for unexpected changes to encrypted credentials
  • Check for unauthorized deployments or configuration changes in production environments

Mitigation Instructions:

  • Generate a new master key by deleting the existing master.key file and credentials.yml.enc file.
  • Run EDITOR=vim rails credentials:edit to create a new master key and credentials file.
  • Update the master key in all deployment environments (development, staging, production).
  • Ensure the master.key is properly added to .gitignore to prevent accidental commits.
  • Set the RAILS_MASTER_KEY environment variable in production environments rather than storing the file.
  • Rotate any compromised secrets that were encrypted with the previous master key.
  • Review and update deployment procedures to ensure proper secret management.