Securing flow file in production

Hi Everyone,
I`m looking for some advice on securely deploying node-red to production.

I have a device running debian system with node-red running.
My concern is that flows file can be accessed by anyone that would pull out the ssd card from the device and attach it to any other system - he can open flows file and just simply get all my source code.

If within node-red there is no way to secure it so it cannot by read by casual power-user ( lets call it that :slight_smile: ) - did anyone have any luck doing similar but using some linux based tools to encrypt and decrypt the flows file or entire home directory ?

I`m also looking to move from sd into compute module with emmc storage so it would be harder for someone to actually get to device storage.

Any advice ?

Unfortunately, that's a general problem with NodeJS applications.

FWIW, a while back, there has been a similar discussion here: Need a means to protect my source code

The common approach is to keep secure compute on a secured, separate platform. Use comms to send data from that to user-facing flows.

Then you can lock your secure system in a cabinet.

Thanks so much for replies so far !
Issue is that i plan to put it on running appliances that will sit in client locations so cannot really close them down.
I`m looking into emmc storage solutions to move away from SD and make it harder to get to the files as well but due to some production issues Compute 4 from Raspberry is couple weeks of months of wait.

I was also able to find a separate encryption module for rpi but it`s pretty costly - Security Module for Raspberry Pi – ZYMBIT

Maybe there i something i can do with Docker ?

Docker isn't a security fix. It can help stop people from changing things accidentally for sure but I don't think it can completely hide things - though I'm not a Docker expert so I could be wrong.

Another thing you could do would be to compile your code - but then you are moving away from purely using Node-RED. However, node.js does have good support for integration of modules that are partially or fully compiled. So if you could encapsulate some of the logic in a custom node, you could further move the code to a compiled library.

You are going to want to be certain that the effort is worth it though because that is a fairly costly option from a commercial viewpoint.

I would certainly question whether you really do need to hide the code. You could, instead, make a big selling point of using open source code and then focus on service rather than selling logic.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.