3

I'm building a node api for a multi-tenant app and I'm using a tenant catalog in-memory which stores all the connection strings to connect to the database of each tenant.

Even though there's limits to what the account can do and the origin that can connect to the db for those specific accounts, I still don't want to even consider storing those passwords into plain text.

I've used bcrypt before but due to its 'one-way' nature, I wouldn't really be able to use the 'stored' passwords.

Is there a safe way to handle these in a NODE app?

SebastianG
  • 8,563
  • 8
  • 47
  • 111
  • Does this answer your question? [node.js: encrypting data that needs to be decrypted?](https://stackoverflow.com/questions/6953286/node-js-encrypting-data-that-needs-to-be-decrypted) – Steve Chambers Nov 10 '20 at 10:34

1 Answers1

1

Node comes out-of-the-box with crypto, which you can use to do basic symmetric encryption using a known private key (password). Presumably the key is stored somewhere safe that your application has access to, but is not in the database or in the source code.

Here's a simple example: https://lollyrock.com/posts/nodejs-encryption/

This gives you encryption-at-rest, which is probably a good "just in case" security precaution. Depending on the database you are using, you might be able to opt-in to encryption-at-rest without application changes - if you're an AWS shop, for example, you may have options to make the encryption invisible to your application. Otherwise, you'll need to decrypt and encrypt as you read and write your rows.

Elliot Nelson
  • 11,371
  • 3
  • 30
  • 44
  • Thanks! I figured it out a few hours after asking but this is exactly what I ended up doing. Had no idea there's crypto as an option! Made an 'encryption' module where I'm just picking up the functions to encrypt/decrypt and storing the secret key in an environmental variable. There is 1 thing that was left a bit unanswered/unclear. The secret key that I'm using, how much does it matter? should I attempt to make it as long and complex as possible? Simple logic tells me yes but unsure of the underlying design. – SebastianG Dec 23 '18 at 15:58
  • For AES I think a 128 bit key is still standard; that would be 16 bytes of binary data or (easier) a 32-character hex string. So practically a random alphanumeric string of 32 chars or over should be more than enough. – Elliot Nelson Dec 23 '18 at 18:28