I had a look at the design doc on the wiki
https://github.com/node-red/node-red/wiki/Design%3A-Encryption-of-credentials
We have the need to provide the credentialsSecret on startup or run time. Nick let me know that can easily be done by setting the credentialsSecret in settings to something like: process.env.MY_CREDENTIAL_SECRET which is great.
Is this a common enough use case to be mentioned in the design document specifically? The doc seems to imply that the secret will be typically near the encrypted credentials.
Also, if passing in the secret at startup or run time will be a common use case to avoid keeping it near the credentials file, perhaps the key can be provided using an API call to the run time? Perhaps we can settle on an environment variable that is used (if its set) (e.g. NODE_RED_SECRET). This could be used by the docker image perhaps.
Also, just wondering if anyone has started on the storage plug in that will implement this? I made some changes to the existing module in this area on a fork and would like to see how far off we are. I'm hoping to leverage your work of course, and contribute if I can.
Thanks!
Mike