Active_record_encryption_deterministic_key |link| -
config.active_record.encryption.primary_key = ENV["ENCRYPTION_PRIMARY_KEY"] config.active_record.encryption.deterministic_key = ENV["ENCRYPTION_DETERMINISTIC_KEY"]
Uses the active_record_encryption_deterministic_key to derive an IV based on the content itself. This means "email@example.com" will always encrypt to the same string, allowing the database to perform equality comparisons. How to Configure the Deterministic Key
The is the cryptographic key used for deterministic encryption. It is derived from:
The environment variable active_record_encryption_deterministic_key is a configuration setting used in Ruby on Rails to provide a stable, consistent encryption key for . active_record_encryption_deterministic_key
| Practice | Reason | |----------|--------| | | No – e.g., gender , status columns become trivially decipherable. | | Use for unique identifiers? | Yes – email, username, external ID (low frequency risk). | | Store deterministic key separately | From primary_key . Use different environment variables. | | Prefer non-deterministic for PII like SSN, phone unless querying is required. | Higher security. | | Add a salt to the model | encrypts :email, deterministic: true, deterministic_salt: "static_salt" – changes IV derivation but not key. Helps if column name changes. | | Never use deterministic encryption for highly sensitive data if an attacker can see many ciphertexts (e.g., medical diagnoses). | Frequency analysis is practical. |
find_by or uniqueness validations while keeping the data encrypted at rest. Ruby on Rails Guides +4 Configuration You must define this key in your application's credentials or environment configuration for deterministic encryption to function. GitHub +1 ruby # config/environments/production.rb or an initializer config.active_record.encryption.deterministic_key = Rails.application.credentials.active_record_encryption_deterministic_key Use code with caution. Copied to clipboard Usage in Models Once configured, you can enable it on specific attributes: Ruby on Rails Guides ruby class User < ApplicationRecord # Deterministic encryption allows User.find_by(email: "example@test.com") encrypts :email, deterministic: true end Use code with caution. Copied to clipboard Security Trade-off Deterministic
With the introduction of Active Record Encryption in Rails 7, developers gained the ability to encrypt application data at rest without significant architectural overhead. A critical component of this system is the active_record_encryption_deterministic_key . This configuration allows for , a mechanism where a specific plaintext always produces the same ciphertext. This capability is essential for maintaining database queryability (e.g., searching for a specific email address) but introduces distinct security trade-offs compared to non-deterministic encryption. This paper explores the implementation, configuration strategies, and security considerations required to safely utilize deterministic keys in a production environment. config
deterministic_key is a powerful feature when used only for queryable, high-entropy attributes and when the threat model excludes frequency analysis attacks. For maximum security, default to non-deterministic mode and add blind indexes only when necessary.
Once configured, you can enable deterministic mode on specific attributes using the deterministic: true option.
Here deterministic: true tells Rails to use the deterministic key (and deterministic IV derivation) instead of the non-deterministic mode. | Yes – email, username, external ID (low frequency risk)
config.active_record.encryption.deterministic_key = ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"] Use code with caution. Using Deterministic Encryption in Models
Unlike non-deterministic encryption, which produces a different ciphertext every time you encrypt the same data, deterministic encryption always produces the same ciphertext for the same input. This is primarily used to allow database querying (e.g., User.find_by(email: "test@example.com") ) on encrypted columns.