Extract passphrase from Jenkins' credentials.xml
JenkinsJenkins Problem Overview
I have added an SSH credential to Jenkins.
Unfortunately, I have forgotten the SSH passphrase and would now like to obtain it from Jenkins' credential archive, which is located at ${JENKINS_HOME}/credentials.xml
.
That XML document seems to have credentials encrypted in XML tags <passphrase>
or <password>
.
How can I retrieve the plaintext passphrase?
Jenkins Solutions
Solution 1 - Jenkins
Open your Jenkins' installation's script console by visiting http(s)://${JENKINS_ADDRESS}/script
.
There, execute the following Groovy script:
println( hudson.util.Secret.decrypt("${ENCRYPTED_PASSPHRASE_OR_PASSWORD}") )
where ${ENCRYPTED_PASSPHRASE_OR_PASSWORD}
is the encrypted content of the <password>
or <passphrase>
XML element that you are looking for.
Solution 2 - Jenkins
First, you need to get the encrypted value which is conveniently placed in the value
attribute of the password field of that credentials item you are interested in. Navigate to the credentials item in Jenkins UI you, click Inspect Element on the password field, and copy its value
attribute (something like {AQAABAAAa6VBbyzg5AWMW2RnfaBaj46}
Then, go to JENKINS_URL/script
and execute println( hudson.util.Secret.decrypt("{AQAABAAAa6VBbyzg5AWMW2RnfaBaj46}") )
; decrypted password appears under the input field
Solution 3 - Jenkins
I know this is old, but... With pipelines it's extremely simple. Here's an example pipeline that will print the credentials to the console:
node {
def creds
stage('Sandbox') {
withCredentials([usernamePassword(credentialsId: 'my-creds', passwordVariable: 'C_PASS', usernameVariable: 'C_USER')]) {
creds = "\nUser: ${C_USER}\nPassword: ${C_PASS}\n"
}
println creds
}
}
Executing this pipeline produces the following in the console:
Started by user First Last (username)
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] node
Running on Jenkins in /jenkins/workspace/sandbox
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Sandbox)
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] echo
User: testuser
Password: Ab37%ahc*z
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS
The trick here is that the credentials are only masked inside the withCredentials
block. If you assign them to a variable defined outside the block and then print that variable outside the block, no masking is applied. This has been reported as a bug, however nothing is being done on it.
Solution 4 - Jenkins
If you are using the Jenkins Credential Binding Plugin, you can get it to write your password to a file. You can't just output to the console, as the plugin will ***** it out.
Solution 5 - Jenkins
Yes you can get it back. It is AES encrypted and you have to do some things before like searching for the passphrase. Have a look into the Secret class.
But you have look, there are already some scripts out there:
https://github.com/tweksteen/jenkins-decrypt
https://gist.github.com/menski/8f9980999ed43246b9b2
More information and a way to do it with java, can you find here: