Should I be worried? (Message noticed while editing a flow)

Trying_to_learn · 25 December 2018 03:09

Sorry folks, but this has me a bit stumped.

Your flow credentials file is encrypted using a system-generated key.

If the system-generated key is lost for any reason, your credentials
file will not be recoverable, you will have to delete it and re-enter
your credentials.

You should set your own key using the 'credentialSecret' option in
your settings file. Node-RED will then re-encrypt your credentials
file using your chosen key the next time you deploy a change.

Yeah, ok.
But to the best of my knowledge I disabled that because when I set up the secure login, FF would baulk at it and I have not hear any replies resolving the issue.

So I disabled that setting.

Or: So I thought.

This is an extract from the settings.js file:

    // Securing Node-RED
    // -----------------
    // To password protect the Node-RED editor and admin API, the following
    // property can be used. See http://nodered.org/docs/security.html for details.
//  New stuff for password.
//    adminAuth: {
//        type: "credentials",
//        users: [{
//            username: "me",
//            password: "**TEXT DELETED FROM HERE**",
//            permissions: "*"
//        }]
//    },
//  End New stuff for password.

So, what is it talking about?
(Where can I see this "system generated key" so I can copy it to a safe place.)

knolleary · 25 December 2018 07:31

The encryption of your flow credentials file is unrelated to whether you have enabled logging into the editor or not.

The last paragraph tells you exactly what to do:

Trying_to_learn · 25 December 2018 08:16

Yeah, ok. But opening the settings.js file and looking for that part, this is what I find:

// By default, credentials are encrypted in storage using a generated key. To
    // specify your own secret, set the following property.
    // If you want to disable encryption of credentials, set this property to false.
    // Note: once you set this property, do not change it - doing so will prevent
    // node-red from being able to decrypt your existing credentials and they will be
    // lost.
    //credentialSecret: "a-secret-key",

Yeah, ok I get the first sentence.
Second sentence: "set the following property." I'm guessing that is the credentialSecret" part.
But "set"?
Third sentence: If you want to disable encryption.........
Implies to me that it is set by default. Ok, I got the message in the original post. Ok.... Yeah.
Then the note:
Ok, so my credentials are (already/now) encrypted as I was told from the program.
So, what are my "choices"? Set the property to FALSE or make my own key and then I can never change it again.

So from where does this "a-secret-key" come?

I read this link:
credentialSecret
(Written by some smart bloke)

So, after reading that and looking in my .node-red directory (see below)

pi@TimePi:~/.node-red $ ll
total 1444
drwxr-xr-x   4 pi pi   4096 Nov 11 16:10 lib/
drwxr-xr-x 304 pi pi  12288 Nov 11 17:46 node_modules/
drwxr-xr-x   6 pi pi   4096 Nov 11 16:14 public/
-rw-r--r--   1 pi pi     44 Nov 15 19:34 flows_TimePi_cred.json
-rw-r--r--   1 pi pi 925427 Dec 23 06:48 flows_TimePi.json
-rw-r--r--   1 pi pi   1574 Nov 11 17:47 package.json
-rw-r--r--   1 pi pi 510660 Nov 11 17:47 package-lock.json
-rw-r--r--   1 pi pi   9208 Nov 17 09:49 settings.js
pi@TimePi:~/.node-red $

All I would need to do to backup the secret file is copy the flows_TimPi_cred.json to a secure place.

Because if I make a "secret string" (I'm reading that as TEXT) I need to remember that if settings.js is ever corrupted - right?

I shall again state: I am not trying to be difficult I just don't see the bigger picture needing this and how it works.
I don't get that I need to make s "secret key" because if there is ever the system generated one gets .... "lost" there will be problems.

If I specify my own and the file is corrupt, I need to remember that "phrase" as well.

Sorry, but what is the difference?

Is what I said above about making a backup of the flows_TimePi_cred.json file valid?

zenofmud · 25 December 2018 08:24

Maybe you should go back and reread this thread The password/security settings article mentioned on the page

Trying_to_learn · 25 December 2018 08:35

Hi Zenofmud.

Alas that was about 2 - 3 months ago.

Right now I am lucky to remember 1. (Yeah, MY problem, but it has far reaching effects.)

The secure login problem is still (as far as I know) unresolved if I use Firefox.
So I have to get over that problem.

Now NR is telling me a new thing about security.

I just saw another reply from you come in so I'll stop here and read it.

knolleary · 25 December 2018 08:38

As @zenofmud says, we've already covered this.

If you want to encrypt your credentials you can either:

let the system generate a key and be unaware of what that key is. The key is written in .config.json - the runtime config file. That file is not intended for the user to care about.
Be in full control of your system by choosing your own key and putting it in your settings file. You hopefully already backup your settings file so your key will be safe.

That is just how it is. Option 1 leaves users at risk of being unable to load their creds file if the runtime config is lost - which is why we print the warning and tell users to set credentialSecret in their settings file. The message we print tells you what to do. The comment in the settings file tells you what to do.

Trying_to_learn · 25 December 2018 08:43

Um..... "this"....... Yeah, and I shall again say that I haven't heard any updates on why FF won't work if the settings are set, but opera will.
Granted it is pointing to FF as the problem, but I am not going to guess.

So I am reading #2 as saying I need to keep a copy of the settings.js file with the secretCredential password.

Ok. So that is true.

knolleary · 25 December 2018 08:49

Yes. Presumably you have other settings in there you'd need to restore in the event of having to rebuild your system.

As for the login issue (which is entirely unrelated) we have had a small number of similar reports, but they only happen on very specific versions of FF and operating system. We have had no luck reproducing it ourselves so are no closer to understanding or fixing it.

Trying_to_learn · 25 December 2018 08:54

On THIS issue:

THANKS.

Ok. Up to speed.

I keep the settings.js file backed up - preferably on another machine/device.

I only mentioned the other problem .... well, because it was referenced.
(I can't post any more on that thread for reasons outside my control. Last time I tried I was told I couldn't.)
Just on the second part - yeah off topic - no problems.
I can't expect you to fix any/all problems I find. Particularly if only a few people have it.
I'll stop now. Don't want to keep the off topic going too much.

Thanks again.
Confusion resolved.
(I hope)

TotallyInformation · 26 December 2018 18:03

Such issues are generally tracked using GitHub's Issues list rather than the forum.

knolleary · 26 December 2018 19:08

This particular one, unable to login, is here: Can't login with firefox · Issue #1982 · node-red/node-red · GitHub

Topic		Replies	Views
Flow credentials cannot be decrypted General	9	2366	31 May 2022
Node-red can't debug. General node-red-dashboard	2	406	26 May 2022
I don't want to use credentialSecret and I don't need encryption General	5	2216	31 October 2021
Your flow credentials file is encrypted using a system-generated key General	58	31571	28 July 2021
Trying authorization on flow editor without secret key General security	8	210	22 February 2023

Should I be worried? (Message noticed while editing a flow)

Related topics