This is for v1.29.0

In the config passwords are encrypted and decrypted using crypto.createCipher using the aes-256-ctr algorithm. The nodejs documentation says this is incorrect:

Users should not use ciphers with counter mode (e.g. CTR, GCM, or CCM) in crypto.createCipher().

They suggest using crypto.createCipheriv() instead for this method of encryption, which requires we store the iv value as well. Otherwise we could just use a different encryption algorithm and leave it at that.

The reason I post this isn't necessarily that it's insecure, but that I want to create the config using a python script, but the python PyCrypto library requires an iv, but I haven't found what nodejs actually uses for it's iv value in this case, so I don't have a way of encrypting the passwords the same way node does.

Any response about a workaround at least would be great.

The reason I post this isn't necessarily that it's insecure

It is. createCipher is cryptographically weak as it is, and using it with counter modes is simply wrong.

but I haven't found what nodejs actually uses for it's iv value in this case

You can use this script to compute the key / IV.

Thanks for the script @tniessen. I ended up making my own changes that simply removed he encryption code. What's kind of weird is that there is an "option" to turn off encryption for a server by just doing "encryption": false in the config, but this doesn't work in fact if I remember right, I think it just breaks it.