From 3751ce839d7e5db2d41eb9841b535c0224fb98d8 Mon Sep 17 00:00:00 2001
From: Jaeyoung Yun <imjyy2.0@gmail.com>
Date: Fri, 22 May 2026 00:56:48 +0900
Subject: [PATCH 1/2] fix(server): write encryption.key with mode 0o600
 (defense-in-depth)

---
 packages/server/src/utils/index.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/server/src/utils/index.ts b/packages/server/src/utils/index.ts
index 2eeeb5b0eb6..9911b333307 100644
--- a/packages/server/src/utils/index.ts
+++ b/packages/server/src/utils/index.ts
@@ -1584,7 +1584,7 @@ export const getEncryptionKey = async (): Promise<string> => {
         const defaultLocation = process.env.SECRETKEY_PATH
             ? path.join(process.env.SECRETKEY_PATH, 'encryption.key')
             : path.join(getUserHome(), '.flowise', 'encryption.key')
-        await fs.promises.writeFile(defaultLocation, encryptKey)
+        await fs.promises.writeFile(defaultLocation, encryptKey, { mode: 0o600 })
         return encryptKey
     }
 }

From 7ffd756bc5500fcab9ea45f3381213f40808a6ea Mon Sep 17 00:00:00 2001
From: JAE0Y2N <imjyy2.0@gmail.com>
Date: Sat, 23 May 2026 19:08:22 +0900
Subject: [PATCH 2/2] fix(server): chmod after writeFile to handle existing key
 file

Per gemini-code-assist review feedback on PR #6420: writeFile's mode option only applies on file creation. If a previous run left the encryption.key at a permissive mode, the mode is not downgraded. Add an explicit chmod 0o600 after writeFile to handle this case.

Wrapped in try/catch so non-POSIX filesystems (Windows) silently no-op rather than failing key generation.
---
 packages/server/src/utils/index.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/packages/server/src/utils/index.ts b/packages/server/src/utils/index.ts
index 9911b333307..3b23e184685 100644
--- a/packages/server/src/utils/index.ts
+++ b/packages/server/src/utils/index.ts
@@ -1585,6 +1585,16 @@ export const getEncryptionKey = async (): Promise<string> => {
             ? path.join(process.env.SECRETKEY_PATH, 'encryption.key')
             : path.join(getUserHome(), '.flowise', 'encryption.key')
         await fs.promises.writeFile(defaultLocation, encryptKey, { mode: 0o600 })
+        // writeFile's `mode` only applies when the file is newly created; if a previous run left
+        // a file at the same path with a permissive mode, the mode is NOT downgraded. Explicit
+        // chmod after the write ensures 0o600 regardless of pre-existing state. Best-effort: a
+        // chmod failure on non-POSIX filesystems shouldn't block key generation.
+        try {
+            await fs.promises.chmod(defaultLocation, 0o600)
+        } catch (chmodError) {
+            // Non-fatal: log but don't fail. Pre-existing files on POSIX systems will already be
+            // chmodded; non-POSIX (Windows) filesystems silently ignore POSIX modes anyway.
+        }
         return encryptKey
     }
 }