A question popped up on the Node-RED Slack yesterday asking how to recover an entry from the credentials file.
Background
The credentials file can normally be found in the Node-RED userDir, which defaults to ~/.node-red
on Unix like platforms (and is logged near the start of the output when Node-RED starts). The file has the same name as the flow file with _cred
appended before the .json
e.g. the flows_localhost.json
will have a coresponding flows_localhost_creds.json
The content of the file will look something a little like this:
{"$":"7959e3be21a9806c5778bd8ad216ac8bJHw="}
This isn’t much use on it’s own as the contents are encrypted to make it harder for people to just copy the file and have access to all the stored passwords and access tokens.
The secret that is used to encrypt/decrypt this file can be found in one of 2 locations:
- In the
settings.js
file in thecredentialsSecret
field. The user can set this if they want to use a fixed known value. - In the
.config.json
(or.config.runtime.json
in later releases) in the__credentialSecret
field. This secret is the one automatically generated if the user has not specifically set one in thesettings.js
file.
Code
In order to make use of thex
const crypto = require('crypto');
var encryptionAlgorithm = "aes-256-ctr";
function decryptCreds(key, cipher) {
var flows = cipher["$"];
var initVector = Buffer.from(flows.substring(0, 32),'hex');
flows = flows.substring(32);
var decipher = crypto.createDecipheriv(encryptionAlgorithm, key, initVector);
var decrypted = decipher.update(flows, 'base64', 'utf8') + decipher.final('utf8');
return JSON.parse(decrypted);
}
var creds = require("./" + process.argv[2])
var secret = process.argv[3]
var key = crypto.createHash('sha256').update(secret).digest();
console.log(decryptCreds(key, creds))
If you place this is a file called show-creds.js
and place it in the Node-RED userDir you can run it as follows:
$ node show-creds creds.json [secret]
where [secret]
is the value stored in credentialsSecret
or _credentialsSecret
from earlier. This will then print out the decrypted JSON object holding all the passwords/tokens from the file.