diff --git a/buildpacks/ruby/src/steps/default_env.rs b/buildpacks/ruby/src/steps/default_env.rs
index 473770ba..d8f3849e 100644
--- a/buildpacks/ruby/src/steps/default_env.rs
+++ b/buildpacks/ruby/src/steps/default_env.rs
@@ -23,7 +23,20 @@ pub(crate) fn default_env(
         env.insert(k, v);
     }
 
-    let (default_secret_key_base, store) = fetch_secret_key_base_from_store(&context.store);
+    let mut store = context.store.clone().unwrap_or_default();
+    let default_secret_key_base = store
+        .metadata
+        .entry("SECRET_KEY_BASE")
+        .or_insert_with(|| {
+            let mut rng = rand::thread_rng();
+
+            (0..64)
+                .map(|_| rng.sample(rand::distributions::Alphanumeric) as char)
+                .collect::<String>()
+                .into()
+        })
+        .to_string();
+
     let layer_ref = context.uncached_layer(
         layer_name!("env_defaults"),
         UncachedLayerDefinition {
@@ -53,21 +66,3 @@ pub(crate) fn default_env(
 
     Ok((env, store))
 }
-
-fn fetch_secret_key_base_from_store(store: &Option<Store>) -> (String, Store) {
-    let mut store = store.clone().unwrap_or_default();
-    let default_secret_key_base = store
-        .metadata
-        .entry("SECRET_KEY_BASE")
-        .or_insert_with(|| {
-            let mut rng = rand::thread_rng();
-
-            (0..64)
-                .map(|_| rng.sample(rand::distributions::Alphanumeric) as char)
-                .collect::<String>()
-                .into()
-        })
-        .to_string();
-
-    (default_secret_key_base, store)
-}
diff --git a/buildpacks/ruby/tests/integration_test.rs b/buildpacks/ruby/tests/integration_test.rs
index ece3ea13..3a19fa2c 100644
--- a/buildpacks/ruby/tests/integration_test.rs
+++ b/buildpacks/ruby/tests/integration_test.rs
@@ -93,6 +93,9 @@ fn test_default_app_latest_distro() {
 
             assert_contains!(context.pack_stdout, "Installing puma");
 
+            let secret_key_base = context.run_shell_command("echo \"${SECRET_KEY_BASE:?No SECRET_KEY_BASE set}\"").stdout;
+            assert!(!secret_key_base.trim().is_empty(), "Expected {secret_key_base:?} to not be empty but it is");
+
             let config = context.config.clone();
             context.rebuild(config, |rebuild_context| {
                 println!("{}", rebuild_context.pack_stdout);
@@ -114,6 +117,12 @@ fn test_default_app_latest_distro() {
                         assert_contains!(body, "ruby_version");
                     },
                 );
+
+                // Assert SECRET_KEY_BASE is preserved between invocations
+                assert_eq!(
+                    secret_key_base,
+                    rebuild_context.run_shell_command("echo \"${SECRET_KEY_BASE:?No SECRET_KEY_BASE set}\"").stdout
+                );
             });
         },
     );