What encryption method is used to encrypt Flow Credentials in order to trigger flows via HTTP API?

Based on the documentation for POST /flows : Node-RED it mentions the usage of encrypted password within the flow JSON request body. What is the encryption mechanism that is actually used? It doesn't look like bcrypt.

Any idea which mechanism is it?

While I don't know for certain, I would imagine it uses the same process as for the passwords: Securing Node-RED : Node-RED (nodered.org)

Which is indeed bcrypt. However, it does use a salt. From settings.js:

    /** By default, credentials are encrypted in storage using a generated key. To
     * specify your own secret, set the following property.
     * If you want to disable encryption of credentials, set this property to false.
     * Note: once you set this property, do not change it - doing so will prevent
     * node-red from being able to decrypt your existing credentials and they will be
     * lost.
    credentialSecret: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',

bcrypt is a password-hashing algorthm, not an encryption scheme. If we used bcrypt for the credentials, we'd never be able to decrypt them.

The code Node-RED uses to encrypt/decrypt credentials is here:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.