87

I have added an SSH credential to Jenkins.

Unfortunately, I have forgotten the SSH passphrase and would now like to obtain it from Jenkins' credential archive, which is located at ${JENKINS_HOME}/credentials.xml.

That XML document seems to have credentials encrypted in XML tags <passphrase> or <password>.

How can I retrieve the plaintext passphrase?

Improve this question

6 Answers 6

Reset to default
203

Open your Jenkins' installation's script console by visiting http(s)://${JENKINS_ADDRESS}/script.

There, execute the following Groovy script:

println( hudson.util.Secret.decrypt("${ENCRYPTED_PASSPHRASE_OR_PASSWORD}") )

where ${ENCRYPTED_PASSPHRASE_OR_PASSWORD} is the encrypted content of the <password> or <passphrase> XML element that you are looking for.

Improve this answer
3
  • 37
    And in order to get the password value of ${ENCRYPTED_PASSPHRASE_OR_PASSWORD}: go to credentials, update, in the browser "See source code" and you will get the encrypted password in the data field for password. Then use that function.
    – Keymon
    Commented Jun 9, 2017 at 10:20
  • 2
    What if I don't have access to /script. Means Jenkins overall access.
    – Vineet Choudhary
    Commented Jul 13, 2019 at 2:54
  • 3
    decrypt call worked for me without the dollar sign.
    – Brendan Cody-Kenny
    Commented Sep 7, 2021 at 14:51
36

First, you need to get the encrypted value which is conveniently placed in the value attribute of the password field of that credentials item you are interested in. Navigate to the credentials item in Jenkins UI you, click Inspect Element on the password field, and copy its value attribute (something like {AQAABAAAa6VBbyzg5AWMW2RnfaBaj46}

Then, go to JENKINS_URL/script and execute println( hudson.util.Secret.decrypt("{AQAABAAAa6VBbyzg5AWMW2RnfaBaj46}") ); decrypted password appears under the input field

Improve this answer
24

I know this is old, but... With pipelines it's extremely simple. Here's an example pipeline that will print the credentials to the console:

node {
    def creds

    stage('Sandbox') {
        withCredentials([usernamePassword(credentialsId: 'my-creds', passwordVariable: 'C_PASS', usernameVariable: 'C_USER')]) {
            creds = "\nUser: ${C_USER}\nPassword: ${C_PASS}\n"
        }

        println creds
    }
}

Executing this pipeline produces the following in the console:

Started by user First Last (username)
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] node
Running on Jenkins in /jenkins/workspace/sandbox
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Sandbox)
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] echo

User: testuser
Password: Ab37%ahc*z

[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

The trick here is that the credentials are only masked inside the withCredentials block. If you assign them to a variable defined outside the block and then print that variable outside the block, no masking is applied. This has been reported as a bug, however nothing is being done on it.

Improve this answer
6
  • 1
    Wrap in script { } if using declarative pipeline syntax.
    – Jamie Jackson
    Commented Jan 10, 2019 at 18:01
  • @Cartucho Which version of Jenkins did you check?
    – Aleks G
    Commented Sep 12, 2019 at 15:12
  • @Cartucho I just copy-pasted this code and ran in 2.176.2 - worked like a charm
    – Aleks G
    Commented Sep 12, 2019 at 15:25
  • @AleksG Interesting, I don't know why is failing in my environment.
    – Cartucho
    Commented Sep 12, 2019 at 17:13
  • does not work in declarative pipeline - prints ******
    – Sasha Bond
    Commented Dec 7, 2022 at 17:50
14

Go to Manage Jenkins -> Script Console and run the following code:

import java.nio.charset.StandardCharsets;
def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
      com.cloudbees.plugins.credentials.Credentials.class
)

for (c in creds) {
  println(c.id)
  if (c.properties.description) {
    println("   description: " + c.description)
  }
  if (c.properties.username) {
    println("   username: " + c.username)
  }
  if (c.properties.password) {
    println("   password: " + c.password)
  }
  if (c.properties.passphrase) {
    println("   passphrase: " + c.passphrase)
  }
  if (c.properties.secret) {
    println("   secret: " + c.secret)
  }
  if (c.properties.secretBytes) {
    println("    secretBytes: ")
    println("\n" + new String(c.secretBytes.getPlainData(), StandardCharsets.UTF_8))
    println("")
  }
  if (c.properties.privateKeySource) {
    println("   privateKey: " + c.getPrivateKey())
  }
  if (c.properties.apiToken) {
    println("   apiToken: " + c.apiToken)
  }
  if (c.properties.token) {
    println("   token: " + c.token)
  }
  println("")
}
Improve this answer
1
  • 2
    I confirm that this is the easiest, and it works!
    – Mohammed Noureldin
    Commented Feb 18 at 0:02
7

If you are using the Jenkins Credential Binding Plugin, you can get it to write your password to a file. You can't just output to the console, as the plugin will ***** it out.

Credential Binding Plugin configuration to get password text on Windows

Improve this answer
1
  • 3
    Alternatively, you can somehow mangle the password, so that the plugin can't **** it out. E.g. as unix shell command: echo $PASS | sed -e 's/./&-/g'?.
    – daniel kullmann
    Commented Jan 8, 2018 at 9:15
3

Yes you can get it back. It is AES encrypted and you have to do some things before like searching for the passphrase. Have a look into the Secret class.

But you have look, there are already some scripts out there:

https://github.com/tweksteen/jenkins-decrypt
https://gist.github.com/menski/8f9980999ed43246b9b2

More information and a way to do it with java, can you find here:

What password encryption Jenkins is using?

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.