Active_record_encryption_deterministic_key -

The command above generates a primary_key , a deterministic_key , and a key_derivation_salt . Store these in your Rails Credentials (e.g., bin/rails credentials:edit ):

config.active_record.encryption.deterministic_key = ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"] Use code with caution. Using Deterministic Encryption in Models active_record_encryption_deterministic_key

Uses the active_record_encryption_deterministic_key to derive an IV based on the content itself. This means "email@example.com" will always encrypt to the same string, allowing the database to perform equality comparisons. How to Configure the Deterministic Key The command above generates a primary_key , a

# The :secret_notes attribute will use the primary_key (randomized) encrypts :secret_notes end The command above generates a primary_key

If you prefer environment variables, you can set them in config/application.rb :

Rails solves this through two distinct encryption modes: