What encryption method is used to encrypt Flow Credentials in order to trigger flows via HTTP API?

knolleary · 12 January 2023 15:28

bcrypt is a password-hashing algorthm, not an encryption scheme. If we used bcrypt for the credentials, we'd never be able to decrypt them.

The code Node-RED uses to encrypt/decrypt credentials is here:

github.com

node-red/node-red/blob/master/packages/node_modules/@node-red/runtime/lib/nodes/credentials.js#L34-L46


      
          function decryptCredentials(key,credentials) {
              var creds = credentials["$"];
              var initVector = Buffer.from(creds.substring(0, 32),'hex');
              creds = creds.substring(32);
              var decipher = crypto.createDecipheriv(encryptionAlgorithm, key, initVector);
              var decrypted = decipher.update(creds, 'base64', 'utf8') + decipher.final('utf8');
              return JSON.parse(decrypted);
          }
          function encryptCredentials(key,credentials) {
              var initVector = crypto.randomBytes(16);
              var cipher = crypto.createCipheriv(encryptionAlgorithm, key, initVector);
              return {"$":initVector.toString('hex') + cipher.update(JSON.stringify(credentials), 'utf8', 'base64') + cipher.final('base64')};
          }

Topic		Replies	Views
Flows-cred.json decrypt/encrypt dependency General	4	318	15 July 2023
Are encrypted node-red Credentials in the HTTP Request Body for /flows only allowed for API Version v2? General	1	92	2 October 2023
Flow credentials cannot be decrypted General	9	2366	31 May 2022
Decrypting node-red credentials file General	2	272	1 April 2023
Credentials security vulnerability General security	23	201	27 August 2024

What encryption method is used to encrypt Flow Credentials in order to trigger flows via HTTP API?

Related topics