Your Flow Credentials File Is Encrypted Using A System-generated Key

  1. Your Flow Credentials File Is Encrypted Using A System-generated Keys
  2. Your Flow Credentials File Is Encrypted Using A System-generated Key West
  3. Your Flow Credentials File Is Encrypted Using A System-generated Key Lock
  4. Your Flow Credentials File Is Encrypted Using A System-generated Keyboard

Target: 0.15

Currently credentials are passed to the storage API in the clear so unless the storage mechanism does anything specific, they get stored in the clear.

With a move to add version control backing to node-red, the very real prospect emerges of credentials being stored, in the clear, in version control. That is highly undesirable.

' system-key-warning ': ' nn-n Your flow credentials file is encrypted using a system-generated key. Nn If the system-generated key is lost for any reason, your credentials n file will not be recoverable, you will have to delete it and re-enter n your credentials. Nn You should set your own key using the 'credentialSecret' option. Mar 31, 2017  Hello Flow Community! The folks at Muhimbi have a service that allows you to convert Microsoft Word files to PDF, add watermarks, merge documents, etc., and now you can automate all of these operations using Flow. Muhimbi started off building a custom API for their service, and then worked with us to make it a publicly available integrated service. Aug 19, 2019  This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Running under Docker. Your flow credentials file is encrypted using a system-generated key. If the system-generated key is lost for any reason, your credentials file will not be recoverable, you will have to delete it and re-enter your credentials. You should set your own key using the 'credentialSecret' option in your settings file. The credentials file (flowscred.json) is encrypted by default to ensure its contents cannot be easily read.Node-RED generates a random key for the encryption if you do not provide one in your settings file. If the second instance of Node-RED doesn't have the same encryption key, it won't be able to decrypt the file.

We cannot escape the fact that we need to store credential information in a retrievable way; hashing is not an option.

This feature is to enable encryption of credentials by default - a user has to explicitly disable encryption if they do not want it to apply.

The encryption scheme requires a key to encrypt/decrypt the content.

A user is able to provide their own key via the credentialSecret property in the settings file. But most users will not do that the first time they run node-red after upgrading to this release. In which case, the runtime will auto-generate a key and store it in runtime settings. The credentials will then get encrypted with that key the next time flows are deployed.

Your Flow Credentials File Is Encrypted Using A System-generated Keys

If a user then provides their own credentialSecret property in the settings.js file, the runtime will migrate from the generated key to the user provided key the next time flows are deployed.

If a user changes credentialSecret at any point, the runtime will no longer be able to decrypt the credentials and they will be lost.

The credentials passed over the Storage API will be the encrypted set. An unencrypted credential object looks like this:

Your Flow Credentials File Is Encrypted Using A System-generated Key West

After encryption, it looks like this:

By keeping it a valid JSON object underlying storage implementations should not be affected by the change.

Encryption scheme

Your Flow Credentials File Is Encrypted Using A System-generated Key Lock

Decryption scheme

Your Flow Credentials File Is Encrypted Using A System-generated Keyboard

FAQ

The credentials file (flows_cred.json) is encrypted by default to ensure its contents cannot be easily read.

Node-RED generates a random key for the encryption if you do not provide one in your settings file. If the second instance of Node-RED doesn't have the same encryption key, it won't be able to decrypt the file.

Here are the steps you need to resolve this.

  1. edit your settings.js file and add a credentialSecret property with a whatever string value you want. If you want to disable encryption, set its value to false.

  2. Restart Node-RED and deploy a change - this will trigger Node-RED to re-encrypt your credentials with your chosen key (or disabling encryption if set to false).

  3. You can then copy your flow/credential file to a second instance, just make sure you give it the same credentialSecret value in its settings file.

Note that once you set credentialSecret you cannot change its value.