Should I be worried? (Message noticed while editing a flow)


Sorry folks, but this has me a bit stumped.

Your flow credentials file is encrypted using a system-generated key.

If the system-generated key is lost for any reason, your credentials
file will not be recoverable, you will have to delete it and re-enter
your credentials.

You should set your own key using the 'credentialSecret' option in
your settings file. Node-RED will then re-encrypt your credentials
file using your chosen key the next time you deploy a change.

Yeah, ok.
But to the best of my knowledge I disabled that because when I set up the secure login, FF would baulk at it and I have not hear any replies resolving the issue.

So I disabled that setting.

Or: So I thought.

This is an extract from the settings.js file:

    // Securing Node-RED
    // -----------------
    // To password protect the Node-RED editor and admin API, the following
    // property can be used. See for details.
//  New stuff for password.
//    adminAuth: {
//        type: "credentials",
//        users: [{
//            username: "me",
//            password: "**TEXT DELETED FROM HERE**",
//            permissions: "*"
//        }]
//    },
//  End New stuff for password.

So, what is it talking about?
(Where can I see this "system generated key" so I can copy it to a safe place.)



The encryption of your flow credentials file is unrelated to whether you have enabled logging into the editor or not.

The last paragraph tells you exactly what to do:



Yeah, ok. But opening the settings.js file and looking for that part, this is what I find:

// By default, credentials are encrypted in storage using a generated key. To
    // specify your own secret, set the following property.
    // If you want to disable encryption of credentials, set this property to false.
    // Note: once you set this property, do not change it - doing so will prevent
    // node-red from being able to decrypt your existing credentials and they will be
    // lost.
    //credentialSecret: "a-secret-key",

Yeah, ok I get the first sentence.
Second sentence: "set the following property." I'm guessing that is the credentialSecret" part.
But "set"?
Third sentence: If you want to disable encryption.........
Implies to me that it is set by default. Ok, I got the message in the original post. Ok.... Yeah.
Then the note:
Ok, so my credentials are (already/now) encrypted as I was told from the program.
So, what are my "choices"? Set the property to FALSE or make my own key and then I can never change it again.

So from where does this "a-secret-key" come?

I read this link:
(Written by some smart bloke)

So, after reading that and looking in my .node-red directory (see below)

pi@TimePi:~/.node-red $ ll
total 1444
drwxr-xr-x   4 pi pi   4096 Nov 11 16:10 lib/
drwxr-xr-x 304 pi pi  12288 Nov 11 17:46 node_modules/
drwxr-xr-x   6 pi pi   4096 Nov 11 16:14 public/
-rw-r--r--   1 pi pi     44 Nov 15 19:34 flows_TimePi_cred.json
-rw-r--r--   1 pi pi 925427 Dec 23 06:48 flows_TimePi.json
-rw-r--r--   1 pi pi   1574 Nov 11 17:47 package.json
-rw-r--r--   1 pi pi 510660 Nov 11 17:47 package-lock.json
-rw-r--r--   1 pi pi   9208 Nov 17 09:49 settings.js
pi@TimePi:~/.node-red $ 

All I would need to do to backup the secret file is copy the flows_TimPi_cred.json to a secure place.

Because if I make a "secret string" (I'm reading that as TEXT) I need to remember that if settings.js is ever corrupted - right?

I shall again state: I am not trying to be difficult I just don't see the bigger picture needing this and how it works.
I don't get that I need to make s "secret key" because if there is ever the system generated one gets .... "lost" there will be problems.

If I specify my own and the file is corrupt, I need to remember that "phrase" as well.

Sorry, but what is the difference?

Is what I said above about making a backup of the flows_TimePi_cred.json file valid?



Maybe you should go back and reread this thread The password/security settings article mentioned on the page



Hi Zenofmud.

Alas that was about 2 - 3 months ago.

Right now I am lucky to remember 1. (Yeah, MY problem, but it has far reaching effects.)

The secure login problem is still (as far as I know) unresolved if I use Firefox.
So I have to get over that problem.

Now NR is telling me a new thing about security.

I just saw another reply from you come in so I'll stop here and read it.



As @zenofmud says, we've already covered this.

If you want to encrypt your credentials you can either:

  1. let the system generate a key and be unaware of what that key is. The key is written in .config.json - the runtime config file. That file is not intended for the user to care about.

  2. Be in full control of your system by choosing your own key and putting it in your settings file. You hopefully already backup your settings file so your key will be safe.

That is just how it is. Option 1 leaves users at risk of being unable to load their creds file if the runtime config is lost - which is why we print the warning and tell users to set credentialSecret in their settings file. The message we print tells you what to do. The comment in the settings file tells you what to do.



Um..... "this"....... Yeah, and I shall again say that I haven't heard any updates on why FF won't work if the settings are set, but opera will.
Granted it is pointing to FF as the problem, but I am not going to guess.

So I am reading #2 as saying I need to keep a copy of the settings.js file with the secretCredential password.

Ok. So that is true.



Yes. Presumably you have other settings in there you'd need to restore in the event of having to rebuild your system.

As for the login issue (which is entirely unrelated) we have had a small number of similar reports, but they only happen on very specific versions of FF and operating system. We have had no luck reproducing it ourselves so are no closer to understanding or fixing it.



On THIS issue:


Ok. Up to speed.

I keep the settings.js file backed up - preferably on another machine/device.

I only mentioned the other problem .... well, because it was referenced.
(I can't post any more on that thread for reasons outside my control. Last time I tried I was told I couldn't.)
Just on the second part - yeah off topic - no problems.
I can't expect you to fix any/all problems I find. Particularly if only a few people have it.
I'll stop now. Don't want to keep the off topic going too much.

Thanks again.
Confusion resolved.
(I hope)



Such issues are generally tracked using GitHub's Issues list rather than the forum.



This particular one, unable to login, is here:

1 Like