rails · rafaelfranca · Oct 11, 2023 · Oct 11, 2023
diff --git a/guides/source/active_record_encryption.md b/guides/source/active_record_encryption.md
@@ -495,7 +495,7 @@ The digest algorithm used to derive keys. `OpenSSL::Digest::SHA1` by default.
 #### `config.active_record.encryption.support_sha1_for_non_deterministic_encryption`
 
 Supports decrypting data encrypted non-deterministically with a digest class SHA1. Default is false, which
-means it  will only support the digest algorithm configured in `config.active_record.encryption.hash_digest_class`.
+means it will only support the digest algorithm configured in `config.active_record.encryption.hash_digest_class`.
 
 ### Encryption Contexts
 

diff --git a/guides/source/upgrading_ruby_on_rails.md b/guides/source/upgrading_ruby_on_rails.md
@@ -315,6 +315,27 @@ puts Rails.logger.broadcasts #=> [MyLogger]
 
 [assert_match]: https://docs.seattlerb.org/minitest/Minitest/Assertions.html#method-i-assert_match
 
+
+### Active Record encryption algorithm changes
+
+Active Record Encryption now uses SHA-256 as its hash digest algorithm. If you have data encrypted with previous Rails
+versions, there are two scenarios to consider:
+
+1. If you have +config.active_support.key_generator_hash_digest_class+ configured as SHA1 (the default
+   before Rails 7.0), you need to configure SHA-1 for Active Record Encryption too:
+
+  ```ruby
+  config.active_record.encryption.hash_digest_class = OpenSSL::Digest::SHA1
+  ```
+
+1. If you have +config.active_support.key_generator_hash_digest_class+ configured as SHA256 (the new default
+   in 7.0), then you need to configure SHA-256 for Active Record Encryption:
+
+  ```ruby
+  config.active_record.encryption.hash_digest_class = OpenSSL::Digest::SHA256
+  ```
+
+
 Upgrading from Rails 6.1 to Rails 7.0
 -------------------------------------