Thanks, but first I'd be interested to know what I asked in my last post, as that could be the issue.
None of that is in the json since there were no projects involved. Try taking it out.
That's what I thought. The
.config.json keeps different settings per project. And the key
"activeProject": "Master_flow" determines the project that is launched at start-up.
So to migrate from a projects to non-projects workspace, we need to piece all this data together into the right place.
Still the same with that section taken out unfortunately.
It seems strange that the "mysecret" in
.config.json, isn't a hash, it's a single word password
Strange, but it should not matter. As soon as it is set to any string, it will be used as encryption key.
Just to let you know. i reproduced this
pi with projects -> macOS no projects
13 Nov 07:04:33 - [warn] Error loading credentials: SyntaxError: Unexpected token e in JSON at position 0 13 Nov 07:04:33 - [warn] Error loading flows: Error: Failed to decrypt credentials
That's good, perhaps @knolleary has thoughts on this.
What steps did you take exactly? What files did you copy? Did you copy and properties from one file to another?
Let me try to explain all the different bits.
credentialSecretis not set in your
settings.jsfile, then NR will generate a key and store it in
.config.jsonat the top level of the object under the name
_credentialSecret. This is a long randomly generated string.
credentialSecretis set in your
settings.jsfile, then NR will use that instead.
- if it finds
settings.jsthen we assume this is the first time you've run since setting
credentialSecretand the runtime will re-encrypt the credential file using
credentialSecretand then delete
_credentialSecretas it is no longer needed. (Technically it does this migration the first time you hit Deploy after starting it up in this state).
- if projects are enabled then it ignores
credentialSecretin your settings file and
- Instead it uses the project-specific credential secret that is also stored in the
.config.jsonfile under the
Migrating from Projects on Device A to Not-Projects on Device B
To do this you need to:
- copy the flow and credential files from the projects subdirectory on Device A onto Device B
- copy the value of
.config.jsonon Device A to
settings.jsfile on Device B
I know this works cause I've just run a workshop with a room full of developers who were doing pretty much exactly this (albeit Device B is actually an instance running in a Cloud environment).
The value of
.credentialSecret from.config.json on Device A is a plain text password, whilst the
credentialSecret in the settings.js file is curently a hash. Is that expected?
It may look like a hash but it isn't - it's just a string of characters.
.config.json contains the project's credentialSecret value in plain text because:
- that is not a file you put in version control
- if we did encrypt it somehow, where would we store the key to decrypt it? We'd have to encrypt that key. But where would we store the key to decrypt that key? And so on.
Well the good news is that it works!!
All my credentials are now accessible.
@knolleary Worked for me too! Thanks Nick!
In my case credentials contains of plaintext characters and were absolutely identical in both cases, but decryption had not worked until I removed manually _credentialSecret from .config on the site where projects were disabled.
@knolleary I would like to draw your attention to the fact that the _credentialSecret is not automatically deleted without hit "Deploy" button even if the credentialSecret present in settings.js. Please consider, that sometimes users can't hit "Deploy" button manually to change .config.json because they have only "read" rigths. Sometimes prepared flows.json files just copied to production environment where disableEditor:true setting is activated; On my opinion the behaviour like this is a bug. You shouldn't wait when "Deploy" button will be hit. I believe that _credentialSecret from .config.json have to removed immediately when credentialSecret will appear in settings.js
I've checked Node-RED 1.0.4 and latest from the official docker containers. I think you can simply reproduce this bug - the behaviour is exactly the same as the scenario you had described in your Nov 19th post. Please think to change algorithm and exclude "Deploy" hit from the scenario.
@eitijupaenoithoowohd we can only remove
.config.json when we know that the credentials file has been re-encrypted according to the
credentialSecret value from the settings file. That means rewriting the credentials file, and we only do that when the user hits the Deploy button.
If you are copying flows files onto a system then you need to make sure its settings.js file have the right
credentialSecret in it before you run the flows.
If you have previously run Node-RED on that system without a credentialSecret in its settings file, then it will have generated
_credentialSecret in the
.config.json file and you'll need to either remove the value yourself from the file, or delete the
@knolleary Thank you for your detailed answer.
I have understood that simple solution is not exists and impossible to do re-encryption without "Deploy" hit. And this is the basic problem.
I want to explain. In my case the copied flows files got from a site where projects was enabled and
credentialSecret being in
.config.json but not in
I would like to leave my post in this topic to someone, who will have the same problem like me. I hope my experience will be useful.