Hi all,
For security reason, I would like to change the location of settings.js when running Node-RED as a service.
Is it possible to do so?
(From what I've seen, it's only possible from the command line, hence my question).
Thank you
Yes, the -s or --settings is the only means.
However, if you specify a NODE_RED_HOME env var then all files (including the settings.js file) will reside in the path specfied by NODE_RED_HOME
Is it not enough to secure access to this file instead of moving it?
Also, cant you simply provide the settings file path via the -s option for your service?
Is it not enough to secure access to this file instead of moving it?
The whole system is 100% secure, however it still does not prevent somebody copying/cloning the content of the HDD/SSD, finding out the settings.js file and easily retrieving the code developed in Node-RED.
Therefore, I'm trying to find a way to even "hide" the settings.js as much as possible, rather than leaving it in the default folder.
You should be able to specify it in the service file. For example, if you are using Debian/Ubuntu/Raspbian and installed using the recommended script then, in the service file /lib/systemd/system/nodered.service, you can set it in the ExecStart line or in NODE_RED_OPTIONS.
If you want to stop somebody copying the disc then encrypt the partition on the disc.
1 Like
Thanks a lot, @Colin
Sorry for asking here, I hope you don't mind. Which tool would you recommend to encrypt the partition?
There are so many out there... I see Cryptsetup coming back often, but is there anything even better than that?
Here is a good description:
Why are you so worried about that particular file? How does knowing where it is allow access to your node-red code?
I am somewhat concerned that you appear to be doing fairly complex tasks such as attempting to make your site fully secure and taking it to such levels that you are worried about someone stealing the disk, but do not seem to have a basic knowledge of systemd scripts and disc encryption. If it is really important to you that everything is secure then I highly recommend consulting a professional, otherwise you may have left security holes lying around.
Hi @Colin
I get your point, no offense taken. Let me give a little bit more of background:
The software runs on a Raspberry Pi, and the user must not have to type in a password to boot.
After hours of research, the only answers I can find are:
- Glue your SD card
- Welder/Solder a metallic plate on top of the SD card
- Physically lock your SD card with a special enclosure
Needless to say, if encrypting the partition is actually doable, is it possible to have the application (Node-RED) installed in partition A (unencrypted for instance) but all the important files such as Node-RED flows stored in partition B (obviously encrypted)?
Therefore my questions. I've done my due diligence, I just can't find how to avoid somebody to simply copy/paste the content of the SD card.
Gluing the card in won't be enough. You must also stop someone plugging in a USB stick and copying to that. Also you will need to make sure there is no network access to the device, by wifi or ethernet, and no way of enabling the wifi or plugging in an ethernet cable. Possibly that would need you to destroy the network chips or connector.
You didn't explain why you are particularly concerned about settings.js, or is that no longer a requirement?
Hi @Colin
I've implemented all that I could think off to protect the SD card content while in use:
- Two SSH users
- Basic SSH user only in order to connect to the machine using SSH over a different port than 22
- Super user that cannot be used to directly log in to the machine using SSH: the only SSH access is via the basic user, then I need to connect to the super user via that basic user
- Root user disabled/deleted
- Node-RED GUI protected with a password
- Followed by Node-RED GUI disabled (!)
- Wifi disabled with the config file / raspi-config.
- All Ethernet ports disabled (except the native one obviously)
- etc.
All the above is great (and definitely a good security) while nobody has physically access to the SD card.
However, that's definitely not enough if somebody is able to access the content of the SD card, which as you know, is extremely easy to do so.
One question: Is it possible to have the application (Node-RED) installed in partition A (unencrypted for instance) but all the important files such as Node-RED flows stored in partition B (obviously encrypted)?
I'm looking at a way for particular files/folders to not be accessible/readable, even with the SD card in hand.
Why I am concerned about settings.js: because once having access to settings.js, one can easily find the flows filename and path, then copy the file, and years of work are gone...
Edit: Have you ever heard of ZYMBIT - ZYMKEY4, Essential Security for Raspberry Pi ?
Yes, note though, that when node-red is running the disk will be decrypted.
If the user can unplug the SD card then he could plug it into a PC and change all those settings so he can SSH in as superuser. Then, once node-red is running he would be able to access the flows.
Thanks a lot, @Colin
I'm going to give a try to: ZYMBIT - ZYMKEY4, Essential Security for Raspberry Pi
Have you ever heard of it?
No, but that does not mean anything.
As I said earlier, if it is that important then you really should take advice from a professional consultant.
Just remember that those tools only help security when the server is turned off, not when it is running. To have encrypted data when running, you really need a hardware security module where you can offload some security processing.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
