Securing flow file in production

Hi Everyone,
I`m looking for some advice on securely deploying node-red to production.

I have a device running debian system with node-red running.
My concern is that flows file can be accessed by anyone that would pull out the ssd card from the device and attach it to any other system - he can open flows file and just simply get all my source code.

If within node-red there is no way to secure it so it cannot by read by casual power-user ( lets call it that :slight_smile: ) - did anyone have any luck doing similar but using some linux based tools to encrypt and decrypt the flows file or entire home directory ?

I`m also looking to move from sd into compute module with emmc storage so it would be harder for someone to actually get to device storage.

Any advice ?

Unfortunately, that's a general problem with NodeJS applications.

FWIW, a while back, there has been a similar discussion here: Need a means to protect my source code

The common approach is to keep secure compute on a secured, separate platform. Use comms to send data from that to user-facing flows.

Then you can lock your secure system in a cabinet.

Thanks so much for replies so far !
Issue is that i plan to put it on running appliances that will sit in client locations so cannot really close them down.
I`m looking into emmc storage solutions to move away from SD and make it harder to get to the files as well but due to some production issues Compute 4 from Raspberry is couple weeks of months of wait.

I was also able to find a separate encryption module for rpi but it`s pretty costly - Security Module for Raspberry Pi – ZYMBIT

Maybe there i something i can do with Docker ?

Docker isn't a security fix. It can help stop people from changing things accidentally for sure but I don't think it can completely hide things - though I'm not a Docker expert so I could be wrong.

Another thing you could do would be to compile your code - but then you are moving away from purely using Node-RED. However, node.js does have good support for integration of modules that are partially or fully compiled. So if you could encapsulate some of the logic in a custom node, you could further move the code to a compiled library.

You are going to want to be certain that the effort is worth it though because that is a fairly costly option from a commercial viewpoint.

I would certainly question whether you really do need to hide the code. You could, instead, make a big selling point of using open source code and then focus on service rather than selling logic.