Happy new year everyone! Wanted to start the new year by improving my node red settings 
I always used the credentialSecret: false in settings.js. But now I changed to a password. What is the consequence of this? I expect the flows_cred.json to be encrypted now. Which it seems to be.the case now.
But the password is still visible in settings.js? I thought it would be encrypted there also? If password is stored in clear text, then how do you keep track of settings.js in git? Because I don't want the password to be there.
Is this what happens?
- set credentialSecret in settings.js
- start node red
- flows_cred.json is now encrypted?
No change to settings.js?
Unless you have a suitable key manager or hardware security manager, you would generally put such "secrets" into an environment variable and simply reference that variable in your settings.js file.
If you are working with Node-RED on a Linux environment and starting it with systemd, you can add custom environment variables to the systemd start script.
settings.js is a node.js module and so you can use process.env.myenv or similar to get the variable.
1 Like
Thanks that solves it! Can use env variables in that file.
Out of curiosity, what is the purpose of encrypting credentials if the password is stored in a neighboring file in the same folder?
None whatsoever!
That's why I didn't suggest doing that. The systemd env setting should NEVER be accessible to Node-RED. That is why I always recommend installing and running Node-RED under its own user/group so that you can better control what it has access to.
I run it in docker. I think NR must be able to read all files to be able to run properly (settings.js, .env.json and flows_cred.json). I could put the password in the env file, but come to think of it, we have all credentials there already, so I don't think it will be much use to hide the credentialSecret anyway, since it doesn't have any secrets. So I may just add a dummy password to settings.js to silence the warn on startup...
Just don't forget in the future!
It is also possible that some GitHub security checks might whinge at you - I'm not sure how deeply they check for embedded credentials.
Hopefully, you ARE making use of GitHub's security features to protect your repo's.
1 Like
Yeah mustn't actually add any secrets directly into NR, that's true. We upgraded to paid github subscription to be able to store secrets for ci/cd pipeline, but that's for another system, not NR. Other than that, it's a private repo. And even then, if it had a breach or was public, the env file isn't stored there any way. So the only thing that's there is the dummy password to encrypt empty flows_cred.json
That works fine for settings.js. But I later discovered when using projects, credentialSecret is ignored in settings.js, and instead used in .config.projects.json. Which means it's a json file, not javascript. How then to insert value dynamically from environment?
I don't ever use projects so I might be wrong but I don't think you can do anything useful there.
Personally, I don't find the projects feature useful.
It allows for having different flows all connected to the same node red. Which is exactly what I need. 1 node red, many flows. And it includes a simple git client.
I know what it does, I just don't find it useful. It isn't a true "project" style environment in my view but more of a hybrid since you still only have a single settings file and you cannot run multiple projects in parallel. The last feature being what would attract me to them. As for git, I can do that with my single environment if I want and would simply put any relevant git commands as npm run scripts in package.json so I didn't have to remember the arcane git spells.
I also don't find git especially helpful for Node-RED anyway, at least at the instance/project level. I use automated backup scripts which keep multiple versions. So there is no danger of me forgetting to commit something.
1 Like
