SECRET_KEY_BASE vs RAILS_MASTER_KEY
Rails uses two separate secret keys for two different purposes:
- SECRET_KEY_BASE — signs and verifies session cookies (CookieStore), signed URL tokens, and other Rails message verifiers. It is 128 hex characters (64 bytes). Generate it with
rails secret. - RAILS_MASTER_KEY — encrypts and decrypts
config/credentials.yml.enc. It is 32 hex characters (16 bytes) and is kept inconfig/master.key(gitignored) or as an environment variable.
Which one do you need?
On platforms like Heroku, Render, and Fly.io, you set both as environment variables. Since Rails 5.2, config/credentials.yml.enc can store secret_key_base too — meaning only RAILS_MASTER_KEY needs to be in the environment. Either approach is valid; consistency across environments matters most.
Rotating SECRET_KEY_BASE
Rotating SECRET_KEY_BASE invalidates all existing session cookies immediately — all users are logged out. There is no built-in fallback mechanism in Rails for session secrets. Plan accordingly.