The deterministic_key allows Rails to produce the same ciphertext for identical plaintext inputs, enabling standard where queries and unique indexes on sensitive fields like email addresses. What is the Deterministic Key? Active Record Encryption uses two primary modes:

Unlike non-deterministic encryption, which produces a different ciphertext every time you encrypt the same data, deterministic encryption always produces the same ciphertext for the same input. This is primarily used to allow database querying (e.g., User.find_by(email: "test@example.com") ) on encrypted columns.

active_record_encryption: primary_key: deterministic_key: key_derivation_salt: Use code with caution.

config.active_record.encryption.primary_key = ENV["ENCRYPTION_PRIMARY_KEY"] config.active_record.encryption.deterministic_key = ENV["ENCRYPTION_DETERMINISTIC_KEY"]

find_by or uniqueness validations while keeping the data encrypted at rest. Ruby on Rails Guides +4 Configuration You must define this key in your application's credentials or environment configuration for deterministic encryption to function. GitHub +1 ruby # config/environments/production.rb or an initializer config.active_record.encryption.deterministic_key = Rails.application.credentials.active_record_encryption_deterministic_key Use code with caution. Copied to clipboard Usage in Models Once configured, you can enable it on specific attributes: Ruby on Rails Guides ruby class User < ApplicationRecord # Deterministic encryption allows User.find_by(email: "example@test.com") encrypts :email, deterministic: true end Use code with caution. Copied to clipboard Security Trade-off Deterministic

Active_record_encryption_deterministic_key Page

The deterministic_key allows Rails to produce the same ciphertext for identical plaintext inputs, enabling standard where queries and unique indexes on sensitive fields like email addresses. What is the Deterministic Key? Active Record Encryption uses two primary modes:

Unlike non-deterministic encryption, which produces a different ciphertext every time you encrypt the same data, deterministic encryption always produces the same ciphertext for the same input. This is primarily used to allow database querying (e.g., User.find_by(email: "test@example.com") ) on encrypted columns. active_record_encryption_deterministic_key

active_record_encryption: primary_key: deterministic_key: key_derivation_salt: Use code with caution. The deterministic_key allows Rails to produce the same

config.active_record.encryption.primary_key = ENV["ENCRYPTION_PRIMARY_KEY"] config.active_record.encryption.deterministic_key = ENV["ENCRYPTION_DETERMINISTIC_KEY"] This is primarily used to allow database querying (e

find_by or uniqueness validations while keeping the data encrypted at rest. Ruby on Rails Guides +4 Configuration You must define this key in your application's credentials or environment configuration for deterministic encryption to function. GitHub +1 ruby # config/environments/production.rb or an initializer config.active_record.encryption.deterministic_key = Rails.application.credentials.active_record_encryption_deterministic_key Use code with caution. Copied to clipboard Usage in Models Once configured, you can enable it on specific attributes: Ruby on Rails Guides ruby class User < ApplicationRecord # Deterministic encryption allows User.find_by(email: "example@test.com") encrypts :email, deterministic: true end Use code with caution. Copied to clipboard Security Trade-off Deterministic