Active_record_encryption_deterministic_key

Here deterministic: true tells Rails to use the deterministic key (and deterministic IV derivation) instead of the non-deterministic mode.

| Practice | Reason | |----------|--------| | | No – e.g., gender , status columns become trivially decipherable. | | Use for unique identifiers? | Yes – email, username, external ID (low frequency risk). | | Store deterministic key separately | From primary_key . Use different environment variables. | | Prefer non-deterministic for PII like SSN, phone unless querying is required. | Higher security. | | Add a salt to the model | encrypts :email, deterministic: true, deterministic_salt: "static_salt" – changes IV derivation but not key. Helps if column name changes. | | Never use deterministic encryption for highly sensitive data if an attacker can see many ciphertexts (e.g., medical diagnoses). | Frequency analysis is practical. | active_record_encryption_deterministic_key

Rails solves this through two distinct encryption modes: Here deterministic: true tells Rails to use the

This feature is part of (introduced in Rails 7.0), which allows encrypting attributes in the database. The deterministic key specifically enables deterministic encryption . | Yes – email, username, external ID (low frequency risk)

Once configured, you can enable deterministic mode on specific attributes using the deterministic: true option.

While convenient, deterministic encryption is inherently less secure than randomized encryption. The usage of active_record_encryption_deterministic_key requires a strict threat-model assessment.