Unexpected Debug message: Your flow credentials file is encrypted using a system-generated key

After editing a flow on one PC, I went to a second PC that had the Node-Red Flow editor running knowing that it would flag the fact that there had been a change. I had intended to shutdown the second PC, but thought I would try to merge the change. What I always find is that after the merge the affected nodes are shown, but retain the Blue-Dot indicator that means it requires a Deployment, but the Deploy doesn't indicate the need for re-deployment. So I tried a re-start to see if that got rid of the Blue-Dots; it didn't. So I just shutdown the PC;

When I went back to the first PC I saw this warning message in the debug-panel:

4/25/2024, 10:00:31 AM
msg : string[567]
"↵↵---------------------------------------------------------------------↵Your flow credentials file is encrypted using a system-generated key.↵↵If the system-generated key is lost for any reason, your credentials↵file will not be recoverable, you will have to delete it and re-enter↵your credentials.↵↵You should set your own key using the 'credentialSecret' option in↵your settings file. Node-RED will then re-encrypt your credentials↵file using your chosen key the next time you deploy a change.↵---------------------------------------------------------------------↵"

Is that normal after a manual re-start?
I noted in the Setup File it says:

By default, credentials are encrypted in storage using a generated key.

I presume I really don't need to do anything, like enter my own encryption-key, or false; that this was just a reminder about encryption? This is also the first time I was notified about setting my own encryption-key.

As it refers to the possible loss of an encryption key, where is it stored so I can preserve it if required?

Any help on this matter would be appreciated,

you dont, but if you care about the credentials and want to use that file at some later point (i.e. move to another system), then you will care.

It is printed to the console (and debug) upon every start up. but this time, you had the browser open and seen it.

Here is a good write up done by @hardillb copied from some other site:

The credentialsSercret value is used to encrypt/decrypt the credentials you have entered into any of the nodes when you set them up after dragging them onto the canvas.

Credentials are stored a file called flows_creds.json along side the flows.json

It is not used as part of any communication with any remote system.

If you do not add a credentialsSecret to your settings.js then Node-RED will generate one and store it in a file called .config.runtime.json in your userDir (~/,node-red). Node-RED will then show a warning at startup about this.

If you then add a credentialsSecret to settings.js and restart Node-RED, the next time you do a deploy it will use the old generated secret to decrypt the current credentials file and re-encrypt it using the newly added credentialSecret. You can only do this automatic migration once. This will then remove the warning on later restarts.

Thanks Steve-Mcl,

So what you're suggesting is that I should change

//credentialSecret: "a-secret-key"

In the Setup file; un-commenting and insert my own textual secret-key, or simply false if I don't require encryption?

Also, what precisely is encrypted as I can view flows.json with any editor?
I have already copied the flows.json to another PC, and as long as I change the IP in the json file it runs fine on the other PC.

(the clue is in the name and the previous long description " The credentialsSercret value is used to encrypt/decrypt the credentials" " Credentials are stored a file called flows_creds.json")

e.g: the MQTT node has credentials:


as does the auth section in the HTTP Request node & some others!

Not having the creds decypt will mean you lose these settings (like the user/pass example above) when you copy the files across (meaning you have to re-enter them manually).

Ideally yes.

I see, so this has nothing to do as far as copying flows.json to another PC.

I am using MQTT, but I have not entered any Username or Password; it's for use strictly in my house.

So this has nothing to do as far as copying flows.json to another PC.

Any flow credentials get stored in a separate file - flows_creds.json that exists next to your flows.json file. If you only copy the flows.json file over, you will leave behind the credential and need to re-enter any you have set. Or you can set credentialSecret to a known value, and then you can copy both files over and, as long as you have set the same credentialSecret on the target device as well, then all will work.

Regarding the blue dots on every flow not being cleared by deploy after the merge/discard popup, I think it's a bug. Not related to the credentials file.