I am new to Rails 4, and do not understand the use of secret_key_base
under config/secrets.yml
in Rails 4. Can you please explain this concept?
Also, when I am working in the production environment, I am prompted to set the secret_key
with devise.rb
, config.secret_key
, and secret_key_base
. However, I can generate a new secret using the rake secret
command.
What is the difference between development and production environments?
How is it matching the newly generated secret_key
when I add it with secret_key_base
every time I generate?
How is it securing the application with other servers?
The secret_key_base is thus responsible for reducing the configuration burden on developers while still allowing separate and disperse security features to function using separate keys.
Rails use secret_key_base to derive keys that are used to generate and verify encrypted cookies, signed cookie and also signed message.
2.2 config/secrets. yml file in the config folder. By default, this file contains the application's secret_key_base , but it could also be used to store other secrets such as access keys for external APIs.
The secret_token.rb
file's content includes a long randomized string which is used to verify the integrity of signed cookies (such as user sessions when people are signed into your web app).
Documentation says:
Use your existing secret_key_base from the
secret_token.rb
initializer to set the SECRET_KEY_BASE environment variable for whichever users run the Rails app in production mode. Alternately, you can simply copy the existing secret_key_base from thesecret_token.rb
initializer to secrets.yml under the production section, replacing<%= ENV["SECRET_KEY_BASE"] %>
.
Since it is important file, and you can't put it to .gitignore, it is treated to be a good practice to use env variable to store secret_key_base
value:
create .env
or .powenv
file and store it as:
export SECRET_TOKEN="9489b3eee4eccf317ed77407553e8adc97baca7c74dc7ee33cd93e4c8b69477eea66eaedeb18af0be2679887c7c69c0a28c0fded0a71ea472a8c4laalal19cb"
And then in config/initializers/secret_token.rb
YourAppName::Application.config.secret_key_base = if Rails.env.development? or Rails.env.test? # generate simple key for test and development environments ('a' * 30) # should be at least 30 chars long else ENV['SECRET_TOKEN'] end
This article is (a bit old and) long but really full of useful info on the topic.
Starting from Rails 4.2 there is no longer secret_token.rb
file. By new convention there is a config/secrets.yml
file aimed to store application's secrets.
Have a read on how to upgrade an existing app to 4.2.x according to innovations.
Technically the purpose of secrect_key_base
is to be the secret input for the application’s key_generator
method (check Rails.application.key_generator
).
The application’s key_generator
, and thus secret_key_base
, are used by three core features within the Rails framework:
cookies.encrypted
.cookies.signed
.message_verifier
instances.Check out more on each of the three in the article by @michaeljcoyne.
In Rails 4,
Hello
, andsession['a'] = 'b'
,your cookie will look something like this:
_Hello_session=BAh7B0kiD3%3D%3D--dc40a55cd52fe32bb3b84ae0608956dfb5824689
which translates into:
_Hello_session=<encrypted a=b>--<digital signature>
Cookies are set by server and kept client side, with browser resending set cookies to the server every time we request a page.
To prevent evil people from understanding a=b
string, it's encrypted.
To prevent evil people from tampering cookies, digital signature is used.
In both cases secret_key_base value is used (to encrypt/decrypt a=b and to validate digital signature).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With