Rails Secret Key Generator
Generate SECRET_KEY_BASE and RAILS_MASTER_KEY for Ruby on Rails — hex-encoded, matching what rails secret andopenssl rand -hex 16 produce. Runs entirely in your browser.
SECRET_KEY_BASE=RAILS_MASTER_KEY=rails secretopenssl rand -hex 16SECRET_KEY_BASE vs RAILS_MASTER_KEY
Rails uses two separate secret keys for two different purposes:
- SECRET_KEY_BASE — used to sign and verify session cookies (CookieStore), signed URL tokens, and other Rails message verifiers. It is 128 hex characters (64 bytes). Generate it with
rails secret. - RAILS_MASTER_KEY — used to encrypt and decrypt
config/credentials.yml.enc. It is 32 hex characters (16 bytes) and is kept inconfig/master.key(gitignored) or as an environment variable.
Which one do you need?
On platforms like Heroku, Render, and Fly.io, you set both as environment variables. On Kamal and bare VPS deployments, you typically use config/master.key for the master key and inject SECRET_KEY_BASE via the environment.
Since Rails 5.2, config/credentials.yml.enc can store both — including secret_key_base — and only the master key needs to be in the environment. Either approach is valid; consistency across environments matters more than which method you choose.
Rotating SECRET_KEY_BASE
Rotating SECRET_KEY_BASE invalidates all existing session cookies immediately. Plan for users to be logged out. There is no built-in fallback mechanism in Rails for session secrets (unlike Django 4.1+).
Related tools
- Rails .env Generator — full scaffold for a Rails project
- OpenSSL Rand Generator — replicate openssl rand in-browser
- Secret Generator — general-purpose secrets for any stack