Moving node-RED - Failed to decrypt credentials

Paul-Reed · 12 November 2019 10:22

Currently running node-RED on a local Raspberry Pi, and in the process of moving all flows etc to a Oracle VM.
In the Pi, I've been using 'Projects', but in the VM I will not be using 'Projects'.
So, I've created an archive comprising of the following files from the Pi;

flows_raspberrypi_cred.json  (from projects/master_flow/)
flows_raspberrypi.json       (from projects/master_flow/)
package.json                 (from projects/master_flow/)
.sessions.json               (from .node-red/)
settings.js                  (from .node-red/)
.config.json                 (from .node-red/)
lib                          (from .node-red/)

as per the the cookbook.

Tonight I'm intending to restore these in the VM, in the .node-red/ folder.
I am already using a credentialSecret hash in my Pi's settings file, so I've added the same hash to the VM's setting file.

Does all this look correct? also, do I need to rename most of the files from for example 'flows_raspberrypi.json' to 'flows_digitalnut.json' (change the machine name)

zenofmud · 12 November 2019 10:48

Like all answers 'it depends'. You can start NR using node-red yourflowname so you could use node-red flows_raspberrypi.json. You could also hard code the flow file in settings.js. If you want it to connect to it automatically, then use the flows_<hostname>.json format.

kuema · 12 November 2019 10:50

That is the first thing I change in my settings.js

I always use flowFile: 'flows.json' because the default format with hostname is really annoying.

Paul-Reed · 12 November 2019 13:40

So I guess I'm going to have to add;
flowFile: 'flows_raspberrypi.json'
to my VM's node-RED settings...

kuema · 12 November 2019 14:08

Or just use flows.json for your workspaces and rename the file.

Paul-Reed · 12 November 2019 14:14

So if I rename the flows file to flows.json, the cred file would also need changing to flows_cred.json?

kuema · 12 November 2019 14:18

Exactly.

I use the flows.json as name for all of my instances. This way I can move them around easily, and your workspace always looks consistent.

zenofmud · 12 November 2019 14:24

If you want to just use flows.json you still have to uncomment the line in settings.js to tell it to only use that as the name

// The file containing the flows. If not set, it defaults to flows_<hostname>.json
//flowFile: 'flows.json',

Paul-Reed · 12 November 2019 19:43

Well I did exactly what was discussed above, and upon starting node-RED I got;

12 Nov 19:37:24 - [info] Server now running at https://127.0.0.1:1880/
12 Nov 19:37:24 - [warn] Error loading credentials: SyntaxError: Unexpected token  in JSON at position 0
12 Nov 19:37:24 - [warn] Error loading flows: Error: Failed to decrypt credentials
12 Nov 19:37:24 - [info] Starting flows
12 Nov 19:37:24 - [info] Started flows

....and this message;

creds

Any ideas why this has happened, and how it can be recovered please?

kuema · 13 November 2019 05:42

Things I would look for:

Check for syntax errors in the settings.js.

In your settings.js, is the value of credentialSecret the same as on the other machine?
If it was not set, then Node-RED will use a random one and print a big fat warning on start-up. I don't know where this random key is stored.
If you changed it, then just use that value. I read that you used Projects, so this key is likely in the project's subdir in the settings.json.

Paul-Reed · 13 November 2019 09:40

No errors, in fact this morning I re-copied settings.js from my original working local Pi, and have used that settings file in the VM instance (just amended https entry).
I get the same error.

As above - using a copy of the same settings file.

Yes, that's the one I'm using.

kuema · 13 November 2019 09:57

When "Projects" is turned off, all settings are in the settings.js (not .json).

I have never used the Projects feature, but I think the credentialSecret key is in your projects/master_flow/settings.json on the old machine.
You need to add that key to the settings.js on your new machine.

Colin · 13 November 2019 09:58

You might be quicker just to let it reset the credentials and re-enter them in each config node.

Paul-Reed · 13 November 2019 10:06

Yes, indeed (typo)

Nope, there is no settings there. The only settings (and which is also shown in the NR log) is in .node-red/settings.js

There are about 4 years worth of credentials which will be a pain to recover and re-enter.

Also, from a trust perspective, users need to have confidence that node-RED backups can be safely restored, otherwise what's the value in creating backups.
This example shows otherwise...

zenofmud · 13 November 2019 10:30

I just tried to move a flow and the credentials from a Pi to my Mac and I hit the same issue:

13 Nov 05:23:41 - [warn] Error loading credentials: SyntaxError: Unexpected token � in JSON at position 0
13 Nov 05:23:41 - [warn] Error loading flows: Error: Failed to decrypt credentials

in this case the original flow was NOT in a project. I then realized I had not moved the .config.json. Once I did, it worked fine.

So I would recheck the original .config.json against the one in the oracle VM to make suer they are the same

kuema · 13 November 2019 10:33

Maybe the auto-generated credentialSecret is stored in there. That would explain it.

kuema · 13 November 2019 10:45

I just checked... it is indeed in the .config.json as key _credentialSecret

So once you set credentialSecret in your settings.js with your own secret, it will be removed from there at the next launch and the existing credentials will be re-encrypted with your own key.

For reference, these are the files I commit to source control. Everything to run the instance is in there. I just need to run npm install after checkout. So backups of your workspace are not really an issue if you follow that setup.

.
├── .gitignore
├── flows_cred.json
├── flows.json
├── package.json
├── package-lock.json
└── settings.js

NOTE:
These settings are important for this:

flowFile: 'flows.json',
flowFilePretty: true,
credentialSecret: "your key here...",

Paul-Reed · 13 November 2019 10:49

Thanks for testing Paul.
I think that the issue maybe in the last few lines of the .config.json file;

"projects": {
  "projects": {
   "Master_flow": {
    "credentialSecret": "mysecret"
   },
   "Store": {
    "credentialSecret": "mysecret"
   }
  },
  "activeProject": "Master_flow"
 }
}

Where it's still referring to 'projects' & "activeProject": "Master_flow"
What are the last entries in your .config.json file Paul?

kuema · 13 November 2019 10:53

You can try to use the credentialSecret from the "Master_flow" section. That is the actual secret that was used to encrypt the credentials.

Just set it as credentialSecret in the settings.js on the new machine.

And, on the new machine, look out for the _credentialSecret in .config.json. I think it should be removed beforehand (or delete the .config.json, it will be regenerated)

kuema · 13 November 2019 11:00

I think by now it would be best to start the migration again with a fresh Node-RED workspace on the target machine. I have some steps in mind that you could follow. I can write them down, if you want.

Topic		Replies	Views
Moving credentials to another machine (v3.0.2) General	4	646	13 September 2022
Rename flow file - Need to rename credential file too? General	2	1601	7 August 2019
Transfering node-red server to linux General	10	1925	17 December 2018
Moving Node Red Project to new install, missing credential? General	2	1177	17 December 2020
Automatic update of Flows on a 2nd machine? General	3	382	16 March 2021

Moving node-RED - Failed to decrypt credentials

Related topics