101

I am developing a Rails 4 app using the Active Admin gem for the administration back end. Active Admin in turn uses Devise for user authentication. Now, when I try to deploy the app using capistrano on the VPS server, I get the below error:

rake aborted!
Devise.secret_key was not set. Please add the following to your Devise initializer:
config.secret_key = '-- secret key --'

A Google search does not do much for this error. Any suggestions why it is throwing an error? Should I add the secret key to devise initializer, as I cannot find any place to set such config key in initializers/devise.rb?

scarver2
  • 7,887
  • 2
  • 53
  • 61
  • @mrbrdo yes the message tells exactly what is missing, but when you open devise.rb file there is no documentation about `secret key`. Also if you are running a fresh install, the application should take care of that. Thanks to the ticket at https://github.com/plataformatec/devise/issues/2554 it has been resolved. –  Sep 07 '13 at 10:23

16 Answers16

89

I ran bundle update this morning and started getting the same error.

I added it as a line in config/initializers/devise.rb and the error was fixed.

This seems to be the commit which introduced it.

oxfist
  • 749
  • 6
  • 22
Brian Weiner
  • 1,030
  • 8
  • 3
  • 25
    Future Googlers, As of 2014-07-08, https://stackoverflow.com/questions/18080910/devise-secret-key#answer-22584303 is the more proper answer for Rails 4+ to avoid spreading secrets throughout config. – Zachary Moshansky Jul 08 '14 at 20:46
  • 3
    As of 2015-10-30, http://stackoverflow.com/a/32525855/1842747 is the best answer, but I highly recommend going straight to setting the `SECRET_KEY_BASE` environment variable instead of copying it into `secrets.yml` so you don't forget that your "secret key" is not secret enough! – monozok Oct 31 '15 at 00:08
38

What worked for me on Rails 4.1 and Devise 3.2.4 is in config/initializers/devise.rb:

config.secret_key = ENV['DEVISE_SECRET_KEY'] if Rails.env.production?
oxfist
  • 749
  • 6
  • 22
Paul Odeon
  • 4,407
  • 1
  • 37
  • 37
33

As of Devise 3.2.3 for Rails 4+ applications the key setting location defaults to YourAppName::Application.config.secret_key_base found in config/initializers/secret_token.rb

Nigel Thorne
  • 21,158
  • 3
  • 35
  • 51
Brandon Cook
  • 1,362
  • 11
  • 11
  • 2
    Ah good to know. I understand that it's a Very Bad Thing for an open source app to have the Devise secret key sitting somewhere in plain text in the source, correct? At least this default allows us to set up dynamic secret keys in fewer places. – Topher Hunt Jun 01 '14 at 16:19
  • 4
    Can someone spell out what to do with this information, for the non-pros? thanks! – ahnbizcad Jul 28 '14 at 13:39
  • 2
    I don't see a that file in my app. Does this mean rails g devise:install didn't work successfully? Or is this answer already outdated? – ahnbizcad Jul 28 '14 at 23:28
  • 11
    Outdated. secret_token.rb does not come stock with Rails 4, having been replaced with **config/secrets.yml** (see [here](http://guides.rubyonrails.org/upgrading_ruby_on_rails.html#config-secrets-yml) for more info). Slightly off topic, but make sure to include config/secrets.yml in your .gitignore, like it says in the Rails-generated comments. To learn how, go [here](https://help.github.com/articles/ignoring-files/). – brntsllvn Sep 10 '15 at 00:27
12

This solved my problem:

Add the code below to your config/initializers/devise.rb file.

config.secret_key = '-- secret key --' 

Replace '-- secret key--' with your own key. I recommend storing it in an ENV variable for security purpose.

  • 2
    How\where do you do that, and how do you connect them? – ahnbizcad Jul 28 '14 at 22:19
  • 3
    ^ the answer to that is to use the figaro gem. github.com/laserlemon/figaro You put all your actual keys in an config/application.ymlfile, gitignore it so that they stay secret, and reference them elsewhere in your application like so `ENV["your_particular_secret_key_name"]`. Then, your app references your keys dynamically. But you've gitignored your keys, so how do you get them to your production environment? You push them directly from your local development environment to heroku using figaro, and your secret keys will end up as environment variables on heroku – ahnbizcad Jan 31 '15 at 10:00
12

As per changelog:

Devise will use the secret_key_base on Rails 4+ applications as its secret_key. You can change this and use your own secret by changing the devise.rb initializer.

I went to config/secrets.yml and changed the production value.

Before:

production: 
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

After:

production: 
  secret_key_base: string of charaters

Of course, that should be set to the environment variable, which I will set later, but this at least got it running. I got my string by using bundle exec rake secret.

Pawel
  • 407
  • 1
  • 6
  • 14
Eric
  • 380
  • 2
  • 11
10

Could it be, that you did not run rails g devise:install?

Running rails generate devise User without the previous command does cause this problem.

sascha.daniels
  • 141
  • 1
  • 6
  • 1
    That is my problem but how to you fix it ... ? – C404 Jan 07 '14 at 19:01
  • It should be possible to re run "rails g devise:install" after creating users. If you use git, make testing branch and try it. If not, try it on a copy of your project. – sascha.daniels Jan 16 '14 at 11:21
  • This is what my problem was. I deleted the app (I hadn't done much) and did `rails g devise user` before I tried to create the user table and migrate. This fixed the problem. – Matt Feb 09 '14 at 23:10
  • this solved the same problem for me with Rails 5.0.0.beta4 & Devise 4.1.1 but I'm not sure why. I ran a diff and the only line that changed in my devise.rb, apart from a different secret key, was + 102: "config.stretches = Rails.env.test? ? 1 : 11" – Cleverlemming Jul 29 '16 at 22:29
10

In config/initializers/devise.rb I put:

config.secret_key = ENV["SECRET_KEY_BASE"] if Rails.env.production?

Because if you put:

$ heroku config

You'll see a secret_key_base for the mode production.

John Hinnegan
  • 5,864
  • 2
  • 48
  • 64
rld
  • 2,603
  • 2
  • 25
  • 39
  • 2
    I think there's a big security problem with this answer. If you put the single quotes around '<%= ENV["SECRET_KEY_BASE"] %>' as the answer suggests, then I think you get that exact string of characters instead of getting the interpolated secret key base. In other words, it literally spells out ENV["SECRET_KEY_BASE"], right? – user1515295 Aug 22 '17 at 14:12
  • To clarify, use double quotes: "<%= ENV["SECRET_KEY_BASE"] %>" – user1515295 Jan 03 '18 at 01:03
  • 3
    devise.rb is a ruby file, not an erb file. No need for the <%= syntax. Just use config.secret_key = ENV["SECRET_KEY_BASE"] – John Hinnegan Aug 04 '18 at 16:13
6

I solve my initializer problem with this ugly approach:

config.secret_key = 'some1234keyq23' if Rails.env == 'production'

in config/initializers/devise.rb It now works in production as well as in development !

Andrey Yasinishyn
  • 1,851
  • 2
  • 23
  • 36
6

I cloned my repository onto a new machine from git. The

config/secrets.yml 

file was on my .gitignore list, so that file didn't exist, and Devise doesn't create the file.

I added the file, then re-ran

rails generate devise MODEL

and it worked.

jgrumps
  • 391
  • 4
  • 8
  • 1
    THIS. Github thought it was being helpful by adding `secrets.yml` to my `.gitignore` file. I didn't give it a thorough read-through, and was vaguely impressed that it included so much more than the generated Rails `.gitignore` file. :facepalm: – steve Jul 28 '16 at 03:30
  • Yep, this is what my issue was. I reverted to an old git commit and the secrets.yml file was gone. – ddonche May 18 '17 at 16:17
  • Just had this same problem. An app I'm using to follow a tutorial for something didn't want to work, so I cloned into a new directory and copied the commits of the tutorial author. Didn't see the problem, so I manually set the config.secret_key. Only found out when booting my rails server. Gave you an upvote so this can be higher! – Joe Apr 03 '18 at 19:48
5

Check if your config\initializers\secret_token.rb has:

YourAppName::Application.config.secret_token

It should be:

YourAppName::Application.config.secret_key_base
Pawel
  • 407
  • 1
  • 6
  • 14
zurbergram
  • 421
  • 6
  • 20
4

I has same issue. The problem was caused by these lines in routes.rb:

devise_for :users, :skip => [:registrations]                                                   
as :user do
  get 'users/edit' => 'devise/registrations#edit', :as => 'edit_user_registration'              
  put 'users' => 'devise/registrations#update', :as => 'user_registration'                      
  get '/users/sign_out' => 'devise/sessions#destroy'                                            
end

I commented them and after that i run:

$ rails generate devise:install

And it has evaluated perfectly. And after that I uncommented routes.

ExiRe
  • 4,727
  • 7
  • 47
  • 92
  • Perfect, thanks. Had this problem setting up a new project, and forgot the `rails generate devise:install` before creating my first devise model. As per this answer, commented out the devise_for line in the routes then run the generate command, and it works. – user208769 Jan 10 '14 at 22:10
  • i commented out `devise_for` line to get my rake db:migrate to work.. no idea why though – Clam May 11 '15 at 17:26
1

Well, I have been following this post and tried almost everything here. I have added the key to devise.rb. But I was still getting the same error.

Maybe a stupid answer, but all I had to do was to push the devise.rb key to the repository.

amrdruid
  • 951
  • 13
  • 24
Philip John
  • 5,275
  • 10
  • 43
  • 68
1

Fix:

  1. In the production server:

    sudo -H nano /etc/environment
    
  2. Then in the file add:

    export SECRET_KEY_BASE="yourkey"
    export DEMO03_DATABASE_PASSWORD="yourpass"
    

    to set this permanently, and system wide (all users, all processes) add set variable

  3. In the local project devise.rb file:

    config.secret_key = ENV["SECRET_KEY_BASE"] if Rails.env.production?
    

Technical details:

  • Ubuntu 16.04
  • Devise (4.2.0)
  • rails 5.0.1
  • capistrano (3.7.1)
gotqn
  • 42,737
  • 46
  • 157
  • 243
1

Ran into the same trouble with Rails 5.2.0 and Devise 4.4.1

Drop the following into /config/initializers/devise.rb

config.secret_key = Rails.application.credentials.secret_key_base
0

Trying to give a somewhat more complete answer to the ones above: As mentioned in the devise_auth_token gem's documentation

...Additionally, you can configure other aspects of devise by manually creating the traditional devise.rb file at config/initializers/devise.rb. Here are some examples of what you can do in this file:

Devise.setup do |config|   
# The e-mail address that mail will appear to be sent from   
# If absent, mail is sent from "please-change-me-at-config-initializers-devise@example.com"  
config.mailer_sender = "support@myapp.com"

# If using rails-api, you may want to tell devise to not use ActionDispatch::Flash   
# middleware b/c rails-api does not include it.   
# See: http://stackoverflow.com/q/19600905/806956  
config.navigational_formats = [:json] end

I had the same problem, and like metioned here, I created the devise initializer, and add the config.secret_key = ENV['DEVISE_SECRET_KEY'] line to it.

Amit Liber
  • 41
  • 3
  • 6
-1

I do not know right solution but it's working. You can try it. I was cloned my project from my GitLab account and when I run in my local server, I have an error Message:

rake aborted! Devise.secret_key was not set. Please add the following to your Devise initializer: config.secret_key = '-- secret key --'

Open config/initializers/devise.rb and add this line

config.secret_key = '<%= ENV["SECRET_KEY_BASE"] %>'

This code line is solved my problem.

OguzTR
  • 23
  • 4
  • config won't eval ruby rockets `<%= %>` as string interpolation. Your key will then literally be what you have typed inside the string literal `' what ever the %he!@#$ you type here is your key no matter what characters'` – lacostenycoder Jan 14 '19 at 21:35