A question popped up on the Node-RED Slack yesterday asking how to recover an entry from the credentials file.
Background
The credentials file can normally be found in the Node-RED userDir, which defaults to ~/.node-red on Unix like platforms (and is logged near the start of the output when Node-RED starts). The file has the same name as the flow file with _cred appended before the .json e.g. the flows_localhost.json will have a coresponding flows_localhost_creds.json
The content of the file will look something a little like this:
{"$":"7959e3be21a9806c5778bd8ad216ac8bJHw="}
This isn’t much use on it’s own as the contents are encrypted to make it harder for people to just copy the file and have access to all the stored passwords and access tokens.
The secret that is used to encrypt/decrypt this file can be found in one of 2 locations:
- In the
settings.jsfile in thecredentialsSecretfield. The user can set this if they want to use a fixed known value. - In the
.config.json(or.config.runtime.jsonin later releases) in the__credentialSecretfield. This secret is the one automatically generated if the user has not specifically set one in thesettings.jsfile.
Code
In order to make use of thex
const crypto = require('crypto');
var encryptionAlgorithm = "aes-256-ctr";
function decryptCreds(key, cipher) {
var flows = cipher["$"];
var initVector = Buffer.from(flows.substring(0, 32),'hex');
flows = flows.substring(32);
var decipher = crypto.createDecipheriv(encryptionAlgorithm, key, initVector);
var decrypted = decipher.update(flows, 'base64', 'utf8') + decipher.final('utf8');
return JSON.parse(decrypted);
}
var creds = require("./" + process.argv[1])
var secret = process.argv[2]
var key = crypto.createHash('sha256').update(secret).digest();
console.log(decryptCreds(key, creds))
If you place this is a file called show-creds.js and place it in the Node-RED userDir you can run it as follows:
$ node show-creds flows_localhost_creds.json [secret]
where [secret] is the value stored in credentialsSecret or _credentialsSecret from earlier. This will then print out the decrypted JSON object holding all the passwords/tokens from the file.