Skip to content

Harden ~/.flowise/encryption.key file permissions to 0o600 #6420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JAE0Y2N wants to merge 2 commits into
base: main
Choose a base branch
from
+11 −1
Open

Harden ~/.flowise/encryption.key file permissions to 0o600 #6420

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3751ce8
fix(server): write encryption.key with mode 0o600 (defense-in-depth)
JAE0Y2N May 21, 2026
7ffd756
fix(server): chmod after writeFile to handle existing key file
JAE0Y2N May 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion packages/server/src/utils/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1584,7 +1584,17 @@ export const getEncryptionKey = async (): Promise<string> => {
const defaultLocation = process.env.SECRETKEY_PATH
? path.join(process.env.SECRETKEY_PATH, 'encryption.key')
: path.join(getUserHome(), '.flowise', 'encryption.key')
await fs.promises.writeFile(defaultLocation, encryptKey)
await fs.promises.writeFile(defaultLocation, encryptKey, { mode: 0o600 })
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

While adding { mode: 0o600 } is a good security practice, there are two additional improvements for robustness and complete hardening:

  1. Directory Creation: fs.promises.writeFile will throw an error if the parent directory (e.g., ~/.flowise) does not exist. This is likely to happen on fresh installations. Using fs.promises.mkdir with { recursive: true } ensures the directory exists before writing.
  2. Existing Files: The mode option in writeFile only applies when a new file is created. If the file already exists (e.g., if it was corrupted or empty, causing the initial readFile to fail), its permissions will not be updated. Adding an explicit fs.promises.chmod call ensures the file is hardened regardless of whether it was created or overwritten.

Additionally, consider applying similar hardening to other sensitive files, such as those handled in getOrCreateStoredSecret (line 1735).

        await fs.promises.mkdir(path.dirname(defaultLocation), { recursive: true })
        await fs.promises.writeFile(defaultLocation, encryptKey, { mode: 0o600 })
        await fs.promises.chmod(defaultLocation, 0o600)

// writeFile's `mode` only applies when the file is newly created; if a previous run left
// a file at the same path with a permissive mode, the mode is NOT downgraded. Explicit
// chmod after the write ensures 0o600 regardless of pre-existing state. Best-effort: a
// chmod failure on non-POSIX filesystems shouldn't block key generation.
try {
await fs.promises.chmod(defaultLocation, 0o600)
} catch (chmodError) {
// Non-fatal: log but don't fail. Pre-existing files on POSIX systems will already be
// chmodded; non-POSIX (Windows) filesystems silently ignore POSIX modes anyway.
}
return encryptKey
}
}
Expand Down