How does Next.js handle encryption keys?

Unanswered

Wild Turkey posted this in #help-forum

Wild TurkeyOP

2024-07-15T21:10:21.192Z

Hey all! I was reading the article "[How to think about security in Next.js.](https://nextjs.org/blog/security-nextjs-server-components-actions)" I was curious how variables are encrypted using server actions, and I noticed these lines:

In Next.js 14, the closed over variables are encrypted with the action ID before sent to the client. By default a private key is generated automatically during the build of a Next.js project.

This makes sense to me. However, does this mean the private key is stored as a plain string in the bundled JavaScript? Or is it somehow stored in a different way? Curious how this works so I can deploy Next.js on platforms outside of Vercel. Thanks!

4 Replies

@Wild Turkey Hey all! I was reading the article "[How to think about security in Next.js.](https://nextjs.org/blog/security-nextjs-server-components-actions)" I was curious how variables are encrypted using server actions, and I noticed these lines: > In Next.js 14, the closed over variables are encrypted with the action ID before sent to the client. By default a private key is generated automatically during the build of a Next.js project. This makes sense to me. However, does this mean the private key is stored as a plain string in the bundled JavaScript? Or is it somehow stored in a different way? Curious how this works so I can deploy Next.js on platforms outside of Vercel. Thanks!

joulev

2024-07-16T04:00:39.174Z

i don't know how it works behind the scenes either so can't answer this, but FWIW here is the PR that implements the feature https://github.com/vercel/next.js/pull/56377 and this paragraph is notable:

During build time, a private AES-GCM encryption key is randomly generated and stored in the built server manifest. Before encrypting/decrypting, an extra round of Flight server and client will be used to serialize/deserialize the value.

and i do see

{
  // ...
  "encryptionKey": "<random string>"
}

in .next/server/server-reference-manifest.json.

@joulev i don't know how it works behind the scenes either so can't answer this, but FWIW here is the PR that implements the feature <https://github.com/vercel/next.js/pull/56377> and this paragraph is notable: > During build time, a private AES-GCM encryption key is randomly generated and stored in the built server manifest. Before encrypting/decrypting, an extra round of Flight server and client will be used to serialize/deserialize the value. and i do see json { // ... "encryptionKey": "<random string>" } in `.next/server/server-reference-manifest.json`.

Wild TurkeyOP

2024-07-16T11:27:59.292Z

Ah ha, super helpful find! Thanks

Julienng

2024-07-16T13:54:31.346Z

You can control the encryption key too : https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations#overwriting-encryption-keys-advanced

Important to share the key between instances and across builds if needed