How to decrypt Jenkins passwords from credentials.xml?

Question

I've taken over the project where a lot of Jenkins credentials has passwords or passphrase strings which I need to know in order to progress with the project, unfortunately these weren't documented anywhere.

I've checked the credentials.xml file where these credentials are stored, but they're in not plain text, e.g.:

<passphrase>{AAAAAAAAAAAANzxft/rDzyt8mhxpn3O72dxvVqZksL5vBJ4jNKvAjAA=}</passphrase>

^{Note: I've changed it slightly for privacy reasons.}

How can I decrypt its original password based on the string above?

kenorb · Accepted Answer · 2017-09-28T22:15:34.657

Luckily there is a hudson.util.Secret.decrypt() function which can be used for this, so:

In Jenkins, go to: /script page.

Run the following command:

println(hudson.util.Secret.decrypt("{XXX=}"))

or:

println(hudson.util.Secret.fromString("{XXX=}").getPlainText())

where {XXX=} is your encrypted password. This will print the plain password.

To do opposite, run:

println(hudson.util.Secret.fromString("some_text").getEncryptedValue())

^{Source: gist at tuxfight3r/jenkins-decrypt.groovy.}

Alternatively check the following scripts: tweksteen/jenkins-decrypt, menski/jenkins-decrypt.py.

For more details, check: Credentials storage in Jenkins.

score 38 · Answer 2 · edited Apr 14 '20 at 00:58

Here is a short snippet you can just run from the jenkins script console, to dump all of your credentials to plain text.

com.cloudbees.plugins.credentials.SystemCredentialsProvider.getInstance().getCredentials().forEach{
  it.properties.each { prop, val ->
    if (prop == "secretBytes") {
      println(prop + "=>\n" + new String(com.cloudbees.plugins.credentials.SecretBytes.fromString("${val}").getPlainData()) + "\n")
    } else {
      println(prop + ' = "' + val + '"')
    }
  }
  println("-----------------------")
}

A more complicated version that lists for non-system credential providers:

import com.cloudbees.plugins.credentials.CredentialsProvider
import com.cloudbees.plugins.credentials.Credentials
import com.cloudbees.plugins.credentials.domains.Domain
import jenkins.model.Jenkins
def indent = { String text, int indentationCount ->
  def replacement = "\t" * indentationCount
  text.replaceAll("(?m)^", replacement)
}

Jenkins.get().allItems().collectMany{ CredentialsProvider.lookupStores(it).toList()}.unique().forEach { store ->
  Map<Domain, List<Credentials>> domainCreds = [:]
  store.domains.each { domainCreds.put(it, store.getCredentials(it))}
  if (domainCreds.collectMany{ it.value}.empty) {
    return
  }
  def shortenedClassName = store.getClass().name.substring(store.getClass().name.lastIndexOf(".") + 1)
  println "Credentials for store context: ${store.contextDisplayName}, of type $shortenedClassName"
  domainCreds.forEach { domain , creds ->
    println indent("Domain: ${domain.name}", 1)
    creds.each { cred ->
      cred.properties.each { prop, val ->
        println indent("$prop = \"$val\"", 2)
      }
      println indent("-----------------------", 2)
    }
  }
}

score 10 · Answer 3 · edited Jul 13 '22 at 08:37

10

Based on Magnus' answer but as a simple one-liner with still readable output:

com.cloudbees.plugins.credentials.SystemCredentialsProvider.getInstance().getCredentials().forEach{println it.dump().replace(' ', '\n')}

edited Jul 13 '22 at 08:37

henrycarteruk

103
5

answered Jan 17 '20 at 10:38

ymajoros

101
1
3

akostadinov · Answer 4 · 2021-10-11T15:01:11.063

@kenorb example with hudson.util.Secret is good. Also answers listing all credentials are very useful (thanks @ymajoros for one-liner).

These do not handle secret files though where secretBytes are used and still an encrypted string is shown. In such case the SecretBytes class needs to be used. Assuming the file is UTF-8, one can do:

secret = "{....}"
new String(com.cloudbees.plugins.credentials.SecretBytes.fromString(secret).getPlainData())

HTH

Update: This is the full solution from my gits:

com.cloudbees.plugins.credentials.SystemCredentialsProvider.getInstance().getCredentials().forEach{
  it.properties.each { prop, val ->
    if (prop == "secretBytes") {
      println(prop + "=>\n" + new String(com.cloudbees.plugins.credentials.SecretBytes.fromString("${val}").getPlainData()) + "\n")
    } else {
      println(prop + ' = "' + val + '"')
    }
  }
  println("-----------------------")
}

score 4 · Answer 5 · answered Aug 16 '19 at 09:04

For the record, The following snippet to be pasted into the console also does the job :

def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
    com.cloudbees.plugins.credentials.common.StandardUsernameCredentials.class,
    Jenkins.instance,
    null,
    null
)

for(c in creds) {
  if(c instanceof com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey){
    println(String.format("id=%s  desc=%s key=%s\n", c.id, c.description, c.privateKeySource.getPrivateKeys()))
  }
  if (c instanceof com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl){
    println(String.format("id=%s  desc=%s user=%s pass=%s\n", c.id, c.description, c.username, c.password))
  }
}

How to decrypt Jenkins passwords from credentials.xml?

5 Answers5

Linked