
Secure Node.js Configuration Files

Securing Node.js Configuration Files

This library makes your application configuration files more secure by providing methods to encrypt at build-time & decrypt at runtime.

Sample configuration file

    "production" : {
        "db"    : {
            "database" : "mysql",
            "user"     : "root",
            "password" : "!EDFT#$@%^TSSDFRT"
        "app"   : {
            "port"     : 5555

Secure the configuration file using the following node code

#!/usr/bin/env node

var SecureConf = require('secure-conf');
var sconf      = new SecureConf();
var pw         = require("pw");

// You can pass it from anywhere you want.
process.stdout.write("Password: ");

        function(err, f, ef, ec) {
            if (err) {
                console.log("failed to encrypt %s, error is %s", f, err);
            } else {
                console.log("encrypt %s to %s complete.", f, ef);
                console.log("encrypted contents are %s", ec);

Use encrypted configuration file in your app

When you launch the below program, you will need to enter the password that you have used to create the config file test.json.enc

#!/usr/bin/env node

var SecureConf = require('secure-conf');
var sconf      = new SecureConf();
var ef         = "./test.json.enc";
var express    = require('express');
var app        = express();

// You can pass it from anywhere you want.
process.stdout.write("Password: ");

var pw         = require("pw");

    sconf.decryptFile(ef, password, function(err, file, content) {
        if (err) {
            console.log('Unable to retrieve the configuration contents.');
        } else {
            var config = JSON.parse(content);

NOTE: This module is not a substitute for your server/application security. Passwords are freely available in the RAM, a determined Hacker can get whatever she wants.

Example Run

This example shows how to encrypt a sample configuration file using a strong password and use encrypted file in the actual location.

[nareshv@nareshv ~]$ cd /tmp
[nareshv@nareshv tmp]$ git clone https://github.com/nareshv/secure-conf
Cloning into 'secure-conf'...
remote: Counting objects: 65, done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 65 (delta 3), reused 5 (delta 2), pack-reused 56
Unpacking objects: 100% (65/65), done.
Checking connectivity... done.
[nareshv@nareshv tmp]$ cd secure-conf/
[nareshv@nareshv secure-conf]$ npm install
secure-conf@0.0.5 /tmp/secure-conf
└── pw@0.0.4
[nareshv@nareshv secure-conf]$ cd examples/
[nareshv@nareshv examples]$ ls
test.js  test.json  test.json.enc
[nareshv@nareshv examples]$ node test.js
======== Supported Encryption Algorithms =======
Please type in a password to encrypt contents of 'test.json' file .
encrypt ./test.json to ./test.json.enc complete.
encrypted contents are 98579719d144565c48755fce8be2a97cb655892e0ca961652763b88cc1a290fb
decrypt ./test.json.enc complete.
Original contents are { "hello" : "world" }

[nareshv@nareshv examples]$ cat ./test.json.enc

Now you can use ./test.json.enc in your code like above example, instead of using plain-text configuration files.


There is a sample script under examples directory. Follow these steps to test the example.

cd examples
node test.js
<enter password of your choice when asked>

<see that decrypted content is same as what is in 'test.json'>


The way we protect the ssl certs and used on Apache/nginx via startup passphrase.


You can pass the following parameters to the constructor

  • prompt : Prompt that has to be shown
  • algo : Algorithm that should be used for both encryption/decryption (see nodejs docs for supported symmetric algorithms)






