Moving node-RED - Failed to decrypt credentials

Currently running node-RED on a local Raspberry Pi, and in the process of moving all flows etc to a Oracle VM.
In the Pi, I've been using 'Projects', but in the VM I will not be using 'Projects'.
So, I've created an archive comprising of the following files from the Pi;

flows_raspberrypi_cred.json  (from projects/master_flow/)
flows_raspberrypi.json       (from projects/master_flow/)
package.json                 (from projects/master_flow/)
.sessions.json               (from .node-red/)
settings.js                  (from .node-red/)
.config.json                 (from .node-red/)
lib                          (from .node-red/)

as per the the cookbook.

Tonight I'm intending to restore these in the VM, in the .node-red/ folder.
I am already using a credentialSecret hash in my Pi's settings file, so I've added the same hash to the VM's setting file.

Does all this look correct? also, do I need to rename most of the files from for example 'flows_raspberrypi.json' to 'flows_digitalnut.json' (change the machine name)

Like all answers 'it depends'. You can start NR using node-red yourflowname so you could use node-red flows_raspberrypi.json. You could also hard code the flow file in settings.js. If you want it to connect to it automatically, then use the flows_<hostname>.json format.

That is the first thing I change in my settings.js

I always use flowFile: 'flows.json' because the default format with hostname is really annoying.

So I guess I'm going to have to add;
flowFile: 'flows_raspberrypi.json'
to my VM's node-RED settings...

Or just use flows.json for your workspaces and rename the file. :grinning:

So if I rename the flows file to flows.json, the cred file would also need changing to flows_cred.json?

Exactly. :slightly_smiling_face:

I use the flows.json as name for all of my instances. This way I can move them around easily, and your workspace always looks consistent.

1 Like

If you want to just use flows.json you still have to uncomment the line in settings.js to tell it to only use that as the name

// The file containing the flows. If not set, it defaults to flows_<hostname>.json
//flowFile: 'flows.json',
1 Like

Well I did exactly what was discussed above, and upon starting node-RED I got;

12 Nov 19:37:24 - [info] Server now running at
12 Nov 19:37:24 - [warn] Error loading credentials: SyntaxError: Unexpected token  in JSON at position 0
12 Nov 19:37:24 - [warn] Error loading flows: Error: Failed to decrypt credentials
12 Nov 19:37:24 - [info] Starting flows
12 Nov 19:37:24 - [info] Started flows

....and this message;


Any ideas why this has happened, and how it can be recovered please?

Things I would look for:

Check for syntax errors in the settings.js.

In your settings.js, is the value of credentialSecret the same as on the other machine?
If it was not set, then Node-RED will use a random one and print a big fat warning on start-up. I don't know where this random key is stored.
If you changed it, then just use that value. I read that you used Projects, so this key is likely in the project's subdir in the settings.json.

No errors, in fact this morning I re-copied settings.js from my original working local Pi, and have used that settings file in the VM instance (just amended https entry).
I get the same error.

As above - using a copy of the same settings file.

Yes, that's the one I'm using.

When "Projects" is turned off, all settings are in the settings.js (not .json).

I have never used the Projects feature, but I think the credentialSecret key is in your projects/master_flow/settings.json on the old machine.
You need to add that key to the settings.js on your new machine.

You might be quicker just to let it reset the credentials and re-enter them in each config node.

Yes, indeed (typo)

Nope, there is no settings there. The only settings (and which is also shown in the NR log) is in .node-red/settings.js

There are about 4 years worth of credentials which will be a pain to recover and re-enter.

Also, from a trust perspective, users need to have confidence that node-RED backups can be safely restored, otherwise what's the value in creating backups.
This example shows otherwise...

I just tried to move a flow and the credentials from a Pi to my Mac and I hit the same issue:

13 Nov 05:23:41 - [warn] Error loading credentials: SyntaxError: Unexpected token � in JSON at position 0
13 Nov 05:23:41 - [warn] Error loading flows: Error: Failed to decrypt credentials

in this case the original flow was NOT in a project. I then realized I had not moved the .config.json. Once I did, it worked fine.

So I would recheck the original .config.json against the one in the oracle VM to make suer they are the same

Maybe the auto-generated credentialSecret is stored in there. That would explain it.

I just checked... it is indeed in the .config.json as key _credentialSecret

So once you set credentialSecret in your settings.js with your own secret, it will be removed from there at the next launch and the existing credentials will be re-encrypted with your own key.

For reference, these are the files I commit to source control. Everything to run the instance is in there. I just need to run npm install after checkout. So backups of your workspace are not really an issue if you follow that setup.

├── .gitignore
├── flows_cred.json
├── flows.json
├── package.json
├── package-lock.json
└── settings.js

These settings are important for this:

flowFile: 'flows.json',
flowFilePretty: true,
credentialSecret: "your key here...",

Thanks for testing Paul.
I think that the issue maybe in the last few lines of the .config.json file;

"projects": {
  "projects": {
   "Master_flow": {
    "credentialSecret": "mysecret"
   "Store": {
    "credentialSecret": "mysecret"
  "activeProject": "Master_flow"

Where it's still referring to 'projects' & "activeProject": "Master_flow"
What are the last entries in your .config.json file Paul?

You can try to use the credentialSecret from the "Master_flow" section. That is the actual secret that was used to encrypt the credentials.

Just set it as credentialSecret in the settings.js on the new machine.

And, on the new machine, look out for the _credentialSecret in .config.json. I think it should be removed beforehand (or delete the .config.json, it will be regenerated)

I think by now it would be best to start the migration again with a fresh Node-RED workspace on the target machine. I have some steps in mind that you could follow. I can write them down, if you want.