This blog is part of our Rails 5.2 series.

Before Rails 5.2, AES-256-CBC authenticated encryption was the default cipher for encrypting messages.

It was proposed to use AES-256-GCM authenticated encryption as the default cipher for encrypting messages because of following reasons:

  • It produces shorter ciphertexts and performs quick encryption and decryption.
  • It is less error prone and more secure.

So, AES-256-GCM became default cipher for encrypting messages in Rails 5.2 .

If we do not want AES-256-GCM as default cipher for encrypting messages in our rails application, then we can disable it.

Rails.application.config.active_support.use_authenticated_message_encryption = false

Default Encryption for cookies and sessions was also updated to use AES-256-GCM in this pull request.

If we do not want AES-256-GCM as default encryption of cookies and sessions, then we can disable it too.

Rails.application.config.active_support.use_authenticated_cookie_encryption = false