Node v22 encryption is slower and returns different ciphertext than Node v18 — why?

[santhosh-js]

Hi everyone,

I’m migrating from Node v18 to Node v22 and I noticed two major differences in behavior.

---

1) Performance difference

Node v18 (fast)

const crypto = require('crypto');
const SECRET = 'SECRET-KEY-FOR-ENCRYPTION';

function encrypt(text) {
  const cipher = crypto.createCipher('aes-256-cbc', SECRET);
  let encrypted = cipher.update(text, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  return encrypted;
}

Running 100 encrypt/decrypt cycles takes ~13ms.

Node v22 (slow)

const crypto = require('crypto');
const SECRET = 'SECRET-KEY-FOR-ENCRYPTION';

function encrypt(text) {
  const iv = crypto.randomBytes(16);
  const key = crypto.scryptSync(SECRET, 'salt', 32);
  const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);

  let encrypted = cipher.update(text, 'utf8', 'hex');
  encrypted += cipher.final('hex');

  return iv.toString('hex') + ':' + encrypted;
}

Running 100 encrypt/decrypt cycles takes 6000+ ms.

---

2) Different output for same input

With Node v18, encrypting the same text always produced the same ciphertext.
With Node v22, the ciphertext changes every time even for the same input, but decryption works.

---

Minimal Reproducible Example (copy/paste)

// Node v22 example
const crypto = require('crypto');
const SECRET = 'SECRET-KEY-FOR-ENCRYPTION';

const key = crypto.scryptSync(SECRET, 'salt', 32);

function encrypt(text) {
  const iv = crypto.randomBytes(16);
  const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);

  let encrypted = cipher.update(text, 'utf8', 'hex');
  encrypted += cipher.final('hex');

  return iv.toString('hex') + ':' + encrypted;
}

function decrypt(text) {
  const [ivHex, encrypted] = text.split(':');
  const iv = Buffer.from(ivHex, 'hex');
  const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);

  let decrypted = decipher.update(encrypted, 'hex', 'utf8');
  decrypted += decipher.final('utf8');
  return decrypted;
}

const input = 'abc123@gmail.com';
const startTime = Date.now();

for (let i = 0; i < 100; i++) {
  const encrypted = encrypt(input);
  decrypt(encrypted);
}

console.log('Time:', Date.now() - startTime);

---

Questions:

1. Is this slowdown expected?
2. Why does createCipheriv produce different output?
3. Can I make it deterministic again if needed?

---

Notes:

• I know createCipher is deprecated and removed in Node v22.
• This is for Redis storage, not password hashing.

---

[amyssnippet]

@santhosh-js I confirm this behavior is expected and not a regression in Node.js v22. It stems from the security improvements enforced by removing the legacy createCipher API.

for 1: in ur node 22 code, you are calling crypto.scryptSync inside the encrypt function but in node 18 u used a weak, non-standard key derivation function (OpenSSL's EVP_BytesToKey with MD5). It was extremely fast but insecure. and now in node 22 you are now using scrypt, a Password-Based Key Derivation Function (PBKDF). It is intentionally designed to be slow and CPU-intensive to prevent brute-force attacks. you are deriving the key every single time you encrypt a string. Since your SECRET is constant, so to fix this, you should derive the key once at startup and reuse the Buffer.

for 2: the output is different because of randomization. in node18, createCipher derived the IV (Initialization Vector) from the password itself. This meant Input A always equaled Output B. While convenient for database lookups, this is semantically insecure (it reveals patterns in your data). but in node 22 the code explicitly calls const iv = crypto.randomBytes(16). This generates a unique IV for every encryption call, ensuring that the same input produces different ciphertext every time. This is the industry standard for secure storage. to fix this, you should derive the IV deterministically from the input data (using a hash) instead of using randomBytes.

As you mentioned this is for Redis storage (presumably you need to look up values later), you likely need Deterministic Encryption (where same input = same output).

[amyssnippet]

i think you should try this code for the fixes. this should be fast and secure for your use case

const crypto = require('node:crypto');

const SECRET = 'SECRET-KEY-FOR-ENCRYPTION';
const ALGORITHM = 'aes-256-cbc';

const key = crypto.scryptSync(SECRET, 'salt', 32); 

function encryptDeterministic(text) {
  const iv = crypto.createHash('sha256').update(text).digest().subarray(0, 16);
  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
  let encrypted = cipher.update(text, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  return iv.toString('hex') + ':' + encrypted;
}

const startTime = Date.now();
for (let i = 0; i < 100; i++) {
  encryptDeterministic('abc123@gmail.com');
}
console.log('Time:', Date.now() - startTime, 'ms');

[amyssnippet]

in short ur code is slow as you called scrypt 100 times, moove it outside the loop and the different output was due to the node 22 code used randomBytes. You can make it deterministic by hashing the input to generate the IV (as shown above).

[Renegade334]

Encrypting in CBC mode with a randomly generated IV will result in different ciphertext each time.

As mentioned above, your examples are not comparable from a benchmark perspective.

If you have any follow-up questions, then I'd suggest taking them somewhere like the Node.js Discord where I'm sure other users would be happy to help.