Managing secrets in FlowFuse

Hi, I'm starting an experiment / evaluation of FlowFuse and Node-RED in our organisation, initially with a local installation of Node-RED. We have some internal APIs that we need to call, and these are secured by JSON Web Tokens (JWTs), issued by a token issuing API.

Node-RED flows need to send a request, signed with a private key, to the token issuing service, and can then use the token in an HTTP header to call the other APIs. I have this working in vanilla Node RED, so far so good, though I needed to import a NodeJS module and write a function node. The issue is how to safely store and administer the private key, which may be specific to a FlowFuse Application. I'm currently storing this as a file in a specific folder on the server, and having the flow load it at runtime, but this only restricts the key to the account Node-RED is running under, rather than restricting it to specific flows..

Is there any feature in FlowFuse that would allow a secure and more scalable way of managing these keys? How would I handle this if we were deploying this on a FlowFuse cloud instance?

Many thanks for any suggestions!

Hi Steve.

You can use Environment Variables set in the FlowFuse instance settings.

You can then pick that up and use it in your Node-RED instance, e.g., in your current function call:

const KEY = env.get('MY_PRIVATE_KEY')
// do what you need with the hey
return msg

The ENV VAR will only be available to that one instance (not "gettable" from other node-red instances)

Does that help?

Hi, yes, that's helpful, thanks. Is the idea then that the FlowFuse Admin manages those environment variables (including the private keys) through the FlowFuse administration console? Sorry for the very basic questions - for internal process reasons I'm waiting for access to the infrastructure to do a proper FlowFuse installation and I can't use a cloud instance at this stage, so I may not yet have understood the product properly.

Hi Steve,

Currently Members and Owners are the only ones that are able to edit environment variables.

Viewers will be able to see the contents of an Environment Variable, but not be able to edit. There is a feature request to add some view restrictions. Feel free to comment or like if you would like to see this prioritized.

Role-base Access Control