.env · security

Rails Secret Key Generator

Generate SECRET_KEY_BASE and RAILS_MASTER_KEY for Ruby on Rails in your browser. Matches rails secret output. Nothing is uploaded.

Be the first to rate
SECRET_KEY_BASE (128 hex chars)
Matches rails secret output — used to sign session cookies
Key
.env line
SECRET_KEY_BASE=
RAILS_MASTER_KEY (32 hex chars)
Used to decrypt credentials.yml.enc
Key
.env line
RAILS_MASTER_KEY=
CLI alternative
SECRET_KEY_BASE
rails secret
RAILS_MASTER_KEY
openssl rand -hex 16

What it does

  • SECRET_KEY_BASE: 128 hex chars (64 bytes) matching rails secret output
  • RAILS_MASTER_KEY: 32 hex chars (16 bytes) matching openssl rand -hex 16
  • All generated locally via crypto.getRandomValues
  • One-click copy of individual keys or full .env lines

Privacy

Runs 100% in your browser. Your .env never touches our servers.

client-side only

When to use this tool

  • Bootstrapping a new Rails app without a local Ruby environment
  • Generating keys for a Rails deployment on Heroku, Render, or Fly.io
  • Rotating SECRET_KEY_BASE after a suspected compromise
  • Providing RAILS_MASTER_KEY for a CI/CD pipeline that runs rails credentials:edit

Common mistakes

  • Committing SECRET_KEY_BASE or RAILS_MASTER_KEY to git — both must be in .gitignore
  • Using the same keys across development, staging, and production
  • Rotating SECRET_KEY_BASE without warning users — all sessions are immediately invalidated
  • Confusing the two keys — RAILS_MASTER_KEY is shorter (32 hex chars), SECRET_KEY_BASE is longer (128 hex chars)

SECRET_KEY_BASE vs RAILS_MASTER_KEY

Rails uses two separate secret keys for two different purposes:

  • SECRET_KEY_BASE — signs and verifies session cookies (CookieStore), signed URL tokens, and other Rails message verifiers. It is 128 hex characters (64 bytes). Generate it with rails secret.
  • RAILS_MASTER_KEY — encrypts and decrypts config/credentials.yml.enc. It is 32 hex characters (16 bytes) and is kept in config/master.key (gitignored) or as an environment variable.

Which one do you need?

On platforms like Heroku, Render, and Fly.io, you set both as environment variables. Since Rails 5.2, config/credentials.yml.enc can store secret_key_base too — meaning only RAILS_MASTER_KEY needs to be in the environment. Either approach is valid; consistency across environments matters most.

Rotating SECRET_KEY_BASE

Rotating SECRET_KEY_BASE invalidates all existing session cookies immediately — all users are logged out. There is no built-in fallback mechanism in Rails for session secrets. Plan accordingly.

Frequently asked questions

What is the difference between SECRET_KEY_BASE and RAILS_MASTER_KEY?

SECRET_KEY_BASE signs and verifies session cookies (CookieStore), signed URLs, and Rails message verifiers — it is 128 hex characters (64 bytes). RAILS_MASTER_KEY decrypts config/credentials.yml.enc — it is 32 hex characters (16 bytes) and is kept in config/master.key (gitignored) or as an environment variable.

How do I set these in production on Heroku, Render, or Fly.io?

Set both as environment variables in the platform's dashboard or CLI. On Heroku: heroku config:set SECRET_KEY_BASE=... RAILS_MASTER_KEY=.... On Render/Fly.io: add them in the environment variables section of your service settings. Never commit these values to git.

What happens if I rotate SECRET_KEY_BASE?

All existing session cookies are immediately invalidated — every user is logged out. Rails has no built-in fallback mechanism for session secrets (unlike Django 4.1+). Plan a maintenance window or accept the forced logout.

Is this the same as running rails secret?

Yes. The rails secret command generates 128 hex characters (64 bytes) via SecureRandom.hex(64). This tool uses crypto.getRandomValues to generate 64 bytes and encodes them as hex, producing statistically equivalent output. Nothing is uploaded.

Related tools

coming soon

Get notified when env syncing launches

We're building a tiny tool to keep .env files in sync across teammates and environments. Leave your email — no spam, just a single launch ping.