Nodejs createCipher vs createCipheriv

Is createCipher still a viable and secure way to encrypt data at rest?

Although it is of course never recommended to use deprecated API calls, it is possible to create a secure system using createCipher. For this the given "password" must be strong enough to withstand offline, and possibly parallel attacks. For this the given password must have enough entropy (must be random enough) not to be guessed. For instance, you can create ~80 bit or higher passwords using a password manager and use those.

Should a solution using createCipheriv always be preferred over createCipher?

Yes, if just because the author has already warned you and any review of your code will have to reconsider if createCipher is still viable. If the method is ever removed from the CryptoJS (unlikely, but it has been deprecated after all) then your code would not run anymore.

Still, the use of createCipheriv will be less secure than createCipher if you use a password directly as key. You should still use a correct password based key derivation function such as PBKDF2 to derive the output key material - as indicated in the updated documentation.

Any other details or recommendations appreciated.

In most cases you want to use a higher end encryption / decryption method such as the Cryptographic Message Syntax (CMS, specified in PKCS#7), PGP or similar high end protocols / container formats.

If you really need to use a cipher directly you should try and see if authenticated encryption such as offered by GCM is an option.


The now depreciated createCipher function didn’t allow for a unique iv which is why createCipheriv is preferred.

While deriving a key using any key derivation functionality it doesn’t assist in protecting the cipher text from dictionary attacks that an iv prevents.