Command line tool for decrypting and dumping Jenkins credentials.
Jenkins stores encrypted credentials in credentials.xml file.
To decrypt them you need the master.key and hudson.util.Secret files.
All three files are located inside Jenkins home directory:
$JENKINS_HOME/credentials.xml
$JENKINS_HOME/secrets/master.key
$JENKINS_HOME/secrets/hudson.util.Secret
I've tested this on Jenkins 1.625.1 and 2.141
Mac:
brew install hoto/repo/jenkins-credentials-decryptor
Mac or Linux:
curl -L \
"https://github.com/hoto/jenkins-credentials-decryptor/releases/download/1.1.0/jenkins-credentials-decryptor_1.1.0_$(uname -s)_$(uname -m)" \
-o jenkins-credentials-decryptor
chmod +x jenkins-credentials-decryptor
Or manually download binary from releases.
Help:
./jenkins-credentials-decryptor --help
./jenkins-credentials-decryptor --version
SSH into Jenkins box and run:
./jenkins-credentials-decryptor \
-m $JENKINS_HOME/secrets/master.key \
-s $JENKINS_HOME/secrets/hudson.util.Secret \
-c $JENKINS_HOME/credentials.xml \
-o json
Or if you have the files locally:
./jenkins-credentials-decryptor \
-m master.key \
-s hudson.util.Secret \
-c credentials.xml \
-o json
If you are worried about me sending your credentials over the network (I can assure you I don't do that) then run a container with disabled network:
From Jenkins box:
docker run \
--rm \
--network none \
--workdir / \
--mount "type=bind,src=$JENKINS_HOME/secrets/master.key,dst=/master.key" \
--mount "type=bind,src=$JENKINS_HOME/secrets/hudson.util.Secret,dst=/hudson.util.Secret" \
--mount "type=bind,src=$JENKINS_HOME/credentials.xml,dst=/credentials.xml" \
docker.io/hoto/jenkins-credentials-decryptor:latest \
/jenkins-credentials-decryptor \
-m master.key \
-s hudson.util.Secret \
-c credentials.xml \
-o json
With files locally:
docker run \
--rm \
--network none \
--workdir / \
--mount "type=bind,src=$PWD/master.key,dst=/master.key" \
--mount "type=bind,src=$PWD/hudson.util.Secret,dst=/hudson.util.Secret" \
--mount "type=bind,src=$PWD/credentials.xml,dst=/credentials.xml" \
docker.io/hoto/jenkins-credentials-decryptor:latest \
/jenkins-credentials-decryptor \
-m master.key \
-s hudson.util.Secret \
-c credentials.xml \
-o json
If you are worried about executing a random binary from the internet then:
git clone https://github.com/hoto/jenkins-credentials-decryptor.git
make build
Binary will be in the bin folder.
Json output format:
$ ./jenkins-credentials-decryptor \
-m master.key \
-s hudson.util.Secret \
-c credentials.xml \
-o json
[
{
"description": "Vault admin",
"id": "vault-admin",
"username": "admin",
"password": "9cy7Mbw@1Omm7db@q6eP3k62Wm*ev#",
"scope": "GLOBAL"
}
]
Text output format:
$ ./jenkins-credentials-decryptor \
-m master.key \
-s hudson.util.Secret \
-c credentials.xml \
-o text
0
description: Vault admin
id: vault-admin
username: admin
password: 9cy7Mbw@1Omm7db@q6eP3k62Wm*ev#
scope: GLOBAL
Get:
go get github.com/hoto/jenkins-credentials-decryptor/cmd/jenkins-credentials-decryptor/
Download dependencies:
make dependencies
Build and test:
make clean
make build
make test
Run a good ol' fashion manual smoke test:
make smoke-test-json
make smoke-test-text
Install to global golang bin directory:
make install
Following Standard Go Project Layout