How to encrypt data in Node.js

Tuesday, November 18, 2025

#nodejs #crypto #encryption #security #aes

Encrypting sensitive data is crucial for protecting user information, API keys, and confidential data in Node.js applications from unauthorized access. As the creator of CoreUI, a widely used open-source UI library, I’ve implemented data encryption in countless Node.js backend systems and enterprise applications. From my 25 years of experience in web development and 11 years with Node.js, the most secure and reliable approach is to use the built-in crypto module with AES encryption. This method provides strong cryptographic protection suitable for production applications.

Use the crypto module with AES-256-GCM encryption for secure data protection with authentication.

const crypto = require('crypto')

function encrypt(text, secretKey) {
  const algorithm = 'aes-256-gcm'
  const iv = crypto.randomBytes(16)
  const cipher = crypto.createCipher(algorithm, secretKey, iv)

  let encrypted = cipher.update(text, 'utf8', 'hex')
  encrypted += cipher.final('hex')

  const authTag = cipher.getAuthTag()

  return {
    encrypted,
    iv: iv.toString('hex'),
    authTag: authTag.toString('hex')
  }
}

// Usage example
const secretKey = crypto.randomBytes(32).toString('hex')
const sensitiveData = 'user credit card: 4111-1111-1111-1111'

const encryptedData = encrypt(sensitiveData, secretKey)
console.log('Encrypted:', encryptedData.encrypted)
console.log('IV:', encryptedData.iv)
console.log('Auth Tag:', encryptedData.authTag)

The crypto.createCipher() method creates an encryption cipher using AES-256-GCM, which provides both encryption and authentication. The initialization vector (IV) ensures that encrypting the same data multiple times produces different results. The getAuthTag() method returns an authentication tag that verifies data integrity during decryption. Store the encrypted data, IV, and authentication tag together - all are needed for successful decryption.

This is the same encryption approach we use in CoreUI backend services for protecting sensitive user data and API credentials. Always use environment variables or secure key management systems to store encryption keys - never hardcode them in your application source code.

Speed up your responsive apps and websites with fully-featured, ready-to-use open-source admin panel templates—free to use and built for efficiency.

About the Author

Łukasz Holeczek, Founder of CoreUI, is a seasoned Fullstack Developer and entrepreneur with over 25 years of experience. As the lead developer for all JavaScript, React.js, and Vue.js products at CoreUI, they specialize in creating open-source solutions that empower developers to build better and more accessible user interfaces.

With expertise in TypeScript, JavaScript, Node.js, and modern frameworks like React.js, Vue.js, and Next.js, Łukasz combines technical mastery with a passion for UI/UX design and accessibility. CoreUI’s mission is to provide developers with tools that enhance productivity while adhering to accessibility standards.

Łukasz shares its extensive knowledge through a blog with technical software development articles. It also advises enterprise companies on building solutions from A to Z. Through CoreUI, it offers professional services, technical support, and open-core products that help developers and businesses achieve their goals.

Learn more about CoreUI’s solutions and see how your business can benefit from working with us.