MSSQL Plus Node - encrypt password when its an env variable - security pov?

Hi Everyone,

This is related to "node-red-contrib-mssql-plus" node.

While i have opened a FR request for the same , i wanted to check with the forum as well.
I have a situation where i cannot change the node credentials while deploying to prod env. And we need to put the DB credentials using env variables in settings.js so that the same deployment can work across envs.
(Its a docker env).

The challenge is - if we put the DB password in settings.js - its in plainview - leading to security risk.

Is there any way to pass the password as an encrypted value (the env variable value) and then the node will decrypt it ?

can't you use environment variables for the password property - ${My_password} etc - see Using environment variables : Node-RED and then pass them into your docker via the command line -E option ?

No there is not. Nor is there a standard mechanism or agreed method (AFAIK) for passing encrypted credentials to a config node. However, if you store the details in the config node they are encrypted in the flow.creds.json file.

Username and Password are set.
image

Username and Password are NOT exported.

My challenge is whether i pass it with -E or as an entry in settings.js - it would be in plain text and anyone can see it . Causing security challenge. So i want to pass an encrypted via. and some way for the node to decrypt it.

I am already exploring with the teams if this can work.
In absence of their agreement, wanted to explore if the password can be passed as encrypted value and maybe some way to decrypt it.

I have added it as a FR for future. Let me go to my team and see if i can convince them.

Will come back if i have any new query on this.

Hi @Steve-Mcl ,

Coming back to this.
We implemented the env variables for MSSQL config node. But what i see is even in case of mustache format the user and password (which are now env variables) are not exported .

I would have assumed that since we have now env variables there - the placeholders would be exported.

Challenge is - when moving this configuration from 1 env to other - it means the user still needs to connect to the front end set up the config node. Is my understanding correct ?

I want to achieve the following :-1:

  1. Export flows from 1 env to other - which is connected to a different DB instance.
  2. In the SQL nodes - i define the configuration using env variables.
  3. Post deployment to new env it picks up the env variables.

But if i need to again login and type out the user password - then I cannot achieve 100% automation.

Please correct if my understanding on this is incorrect.

If I understand you. You have used (something like) ${user} and ${pass} as the username and password but when you export / import, these are lost?

That is (unfortunately) the designed behaviour.

I suspect a feature request with a concrete proposal is required.

EDIT...

This is by design to prevent the editor being able to expose credentials. Again though, if you can raise a good argument / Feature Request, please do so in #development:feature-requests

This is right. This is indeed i want to achieve. I have 10 environments and increasing.
Keeping same user / password in every env - both prod and non prod is a security risk.

What i want to do is once Development is finished - the flow is exported to prod environment and without having to open the flow and changing user/pass ( even it means setting it to {{{user}}} / {{{pass}}} ) it should work since these are already exported in the env.

Currently a manual intervention step is needed in every environment i export the flow to - which negates automation.
I will open a FR on the link.

Thank You so much for your super quick response.

If you are wanting to automate the deployment, can you not do so using the flow/credential files directly, rather than manually copy/pasting via the editors?

Hi Nick,

This works if the same credential is used across env - which will not be the case for prod and non prod. Even in non prod - depending on env - the credential varies. So today what happens is :

  1. We deploy the flows in automated manner across multiple environments. No human internvention in the deployment process. This is done by putting our flows as a file in our storage repository which deployment folks take it via. their automations.

  2. We will be setting all parameters of MSSQL as env variables including user and pass are part of deployment process. These would be specific to that environment . Example DB/Server is different per env.

  3. What happens is post this automated deployment, specifically for user/pass - someone needs to open the editor and manually set it . Even if we copy the credential files directly to the target env - the source and target do not have the same credentials.

I was hoping that when we send the final flows post our tests for deployment the placeholders for user and pass also get deployed as placeholders and pick up values from that specific env.

Hope i could explain it.

Is that done by taking the flows.json and flow_creds.json files from the backend? Or by exporting them from the editor?

If you can do that via the files themselves and not through the editor, then all of the issues can be solved. The flow_creds.json will contain the credential properties - which can be ${FOO} style env var references.

Yes. You are right. The backup to our repository is via. export from editor.

This can definitely be explored. I will check this aspect. You are right taking the cred file - would automatically take the {{}} defined params.

Thank You for this advise. Helps me move ahead.
I will come back.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.