Extract passphrase from Jenkins' credentials.xml

jenkins

Solution 1:

Open your Jenkins' installation's script console by visiting http(s)://${JENKINS_ADDRESS}/script.

There, execute the following Groovy script:

println( hudson.util.Secret.decrypt("${ENCRYPTED_PASSPHRASE_OR_PASSWORD}") )

where ${ENCRYPTED_PASSPHRASE_OR_PASSWORD} is the encrypted content of the <password> or <passphrase> XML element that you are looking for.

Solution 2:

First, you need to get the encrypted value which is conveniently placed in the value attribute of the password field of that credentials item you are interested in. Navigate to the credentials item in Jenkins UI you, click Inspect Element on the password field, and copy its value attribute (something like {AQAABAAAa6VBbyzg5AWMW2RnfaBaj46}

Then, go to JENKINS_URL/script and execute println( hudson.util.Secret.decrypt("{AQAABAAAa6VBbyzg5AWMW2RnfaBaj46}") ); decrypted password appears under the input field

Solution 3:

I know this is old, but... With pipelines it's extremely simple. Here's an example pipeline that will print the credentials to the console:

node {
    def creds

    stage('Sandbox') {
        withCredentials([usernamePassword(credentialsId: 'my-creds', passwordVariable: 'C_PASS', usernameVariable: 'C_USER')]) {
            creds = "\nUser: ${C_USER}\nPassword: ${C_PASS}\n"
        }

        println creds
    }
}

Executing this pipeline produces the following in the console:

Started by user First Last (username)
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] node
Running on Jenkins in /jenkins/workspace/sandbox
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Sandbox)
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] echo

User: testuser
Password: Ab37%ahc*z

[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

The trick here is that the credentials are only masked inside the withCredentials block. If you assign them to a variable defined outside the block and then print that variable outside the block, no masking is applied. This has been reported as a bug, however nothing is being done on it.

Solution 4:

If you are using the Jenkins Credential Binding Plugin, you can get it to write your password to a file. You can't just output to the console, as the plugin will ***** it out.

Credential Binding Plugin configuration to get password text on Windows

Solution 5:

Yes you can get it back. It is AES encrypted and you have to do some things before like searching for the passphrase. Have a look into the Secret class.

But you have look, there are already some scripts out there:

https://github.com/tweksteen/jenkins-decrypt
https://gist.github.com/menski/8f9980999ed43246b9b2

More information and a way to do it with java, can you find here:

What password encryption Jenkins is using?

Related

Form Google Maps URL that searches for a specific places near specific coordinates
Leave menu bar fixed on top when scrolled [closed]
How do I find the total size of my AWS S3 storage bucket or folder?
SELECT max(x) is returning null; how can I make it return 0?
Fastest way to Remove Duplicate Value from a list<> by lambda
Sublime Text 2: Auto fix indentation for javascript?
Add line break to tooltip in Bootstrap 3
Recursive mkdir() system call on Unix
React Native: JAVA_HOME is not set and no 'java' command could be found in your PATH
MySQL, coalesce equivalent for empty values?
How to ssh to localhost without password?
Android Marshmallow: Test permissions with Espresso?