How to decrypt data in Node.js

Tuesday, November 18, 2025

#nodejs #crypto #decryption #security #aes

Decrypting encrypted data safely requires proper handling of initialization vectors, authentication tags, and error checking in Node.js applications. As the creator of CoreUI, a widely used open-source UI library, I’ve implemented secure decryption patterns in numerous Node.js backend systems and enterprise applications. From my 25 years of experience in web development and 11 years with Node.js, the most secure and reliable approach is to use the built-in crypto module with proper AES decryption and authentication verification. This method ensures data integrity and prevents tampering attacks.

Use crypto.createDecipher() with the same algorithm, IV, and authentication tag used during encryption.

const crypto = require('crypto')

function decrypt(encryptedData, iv, authTag, secretKey) {
  try {
    const algorithm = 'aes-256-gcm'
    const decipher = crypto.createDecipher(algorithm, secretKey, Buffer.from(iv, 'hex'))

    decipher.setAuthTag(Buffer.from(authTag, 'hex'))

    let decrypted = decipher.update(encryptedData, 'hex', 'utf8')
    decrypted += decipher.final('utf8')

    return decrypted
  } catch (error) {
    throw new Error('Decryption failed: Invalid data or key')
  }
}

// Usage example
const secretKey = 'your-secret-key-from-encryption'
const encryptedData = 'encrypted-hex-string'
const iv = 'initialization-vector-hex'
const authTag = 'auth-tag-hex'

try {
  const decryptedText = decrypt(encryptedData, iv, authTag, secretKey)
  console.log('Decrypted:', decryptedText)
} catch (error) {
  console.error('Decryption error:', error.message)
}

The crypto.createDecipher() method creates a decryption cipher using the same algorithm used for encryption. The setAuthTag() method verifies data integrity using the authentication tag from encryption. The IV must be converted back from hex to Buffer format for proper decryption. The try-catch block handles decryption failures that occur when using wrong keys, tampered data, or corrupted authentication tags.

This is the same secure decryption approach we use in CoreUI backend services for protecting sensitive user data and maintaining data integrity. Always validate decryption results and handle errors gracefully - failed decryption often indicates security attacks or data corruption that should be logged and monitored.

Speed up your responsive apps and websites with fully-featured, ready-to-use open-source admin panel templates—free to use and built for efficiency.

About the Author

Łukasz Holeczek, Founder of CoreUI, is a seasoned Fullstack Developer and entrepreneur with over 25 years of experience. As the lead developer for all JavaScript, React.js, and Vue.js products at CoreUI, they specialize in creating open-source solutions that empower developers to build better and more accessible user interfaces.

With expertise in TypeScript, JavaScript, Node.js, and modern frameworks like React.js, Vue.js, and Next.js, Łukasz combines technical mastery with a passion for UI/UX design and accessibility. CoreUI’s mission is to provide developers with tools that enhance productivity while adhering to accessibility standards.

Łukasz shares its extensive knowledge through a blog with technical software development articles. It also advises enterprise companies on building solutions from A to Z. Through CoreUI, it offers professional services, technical support, and open-core products that help developers and businesses achieve their goals.

Learn more about CoreUI’s solutions and see how your business can benefit from working with us.