Node-red nodes and password

Hi,

There are quite a few different nodes available to conect Note-red to different systems like SQL, Samba, MQTT etc. Most of them need a password to work of course. But, how safe is this passwords actually stored. Are they encrypted in some way? If I run Node Red on a Raspberry PI, would someone with physical access to the RPI, also have access to the configured passwords?

No, the password is encrypted and not visable.

1 Like

To expand on that, assuming that the node is correctly written, credentials are kept in a separate file to your flows. That file is encrypted using a key in your settings.js that you should certainly change.

So if you export a flow from the Editor, the credentials are not exported - as you would expect.

If someone gets hold of the credentials file, it is encrypted - but, if they have access to that file, they will also have access to the settings.js file which is in the same folder (your userDir folder, usually ~/.node-red). The settings file has the key in it so, in theory, the credentials file could be de-encrypted.

The answer to your 2nd question then is yes.

But this is no different to any other service you are running that needs access to a secondary service. The credentials have to be somewhere and even if they are encrypted, the key has to be somewhere.

There are various ways to mitigate this issue, here are a few:

  • Keep the secure services on a different server, physically and logically separate to your main Node-RED server. So it could be Node-RED on a different device, locked away somewhere. Node-RED has so many ways of interacting with other systems, getting data between two of them is rarely an issue.

    This is probably the easiest and cheapest approach.

  • Use a hardware encryption device

    This is certainly secure but also typically very expensive.

  • Use a global cloud provider that includes a keystore

    Such as Microsoft Azure.

Of course, it would be nice if Node-RED could interact with a keystore itself but that is quite complex.

3 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.