Skip to content

hoto/jenkins-credentials-decryptor

Repository files navigation

Software License Build status Release Powered By: goreleaser Go Report Card Maintainability

Jenkins Credentials Decryptor

Command line tool for decrypting and dumping Jenkins credentials.

What is this all about

Jenkins stores encrypted credentials in the credentials.xml file or in config.xml. To decrypt them you need the master.key and hudson.util.Secret files.

All files are located inside Jenkins home directory:

$JENKINS_HOME/credentials.xml 
$JENKINS_HOME/secrets/master.key
$JENKINS_HOME/secrets/hudson.util.Secret
$JENKINS_HOME/jobs/example-folder/config.xml - Possible location

Compatibility

I've tested this on Jenkins 1.625.1 and 2.141

Usage

Pre-Built Binary

Mac (Intel CPU only):

brew install hoto/repo/jenkins-credentials-decryptor

Mac (Intel CPU only) or Linux:

curl -L \
  "https://github.com/hoto/jenkins-credentials-decryptor/releases/download/1.2.2/jenkins-credentials-decryptor_1.2.2_$(uname -s)_$(uname -m)" \
   -o jenkins-credentials-decryptor

chmod +x jenkins-credentials-decryptor

Or manually download binary from releases.

Help:

./jenkins-credentials-decryptor --help
./jenkins-credentials-decryptor --version

SSH into Jenkins box and run:

./jenkins-credentials-decryptor \
  -m $JENKINS_HOME/secrets/master.key \
  -s $JENKINS_HOME/secrets/hudson.util.Secret \
  -c $JENKINS_HOME/credentials.xml \
  -o json

Or if you have the files locally:

./jenkins-credentials-decryptor \
  -m master.key \
  -s hudson.util.Secret \
  -c credentials.xml \
  -o json

Docker

If you are worried about the binary sending your credentials over the network (it does not do that) then run a container with disabled network:

From Jenkins box:

docker run \
  --rm \
  --network none \
  --workdir / \
  --mount "type=bind,src=$JENKINS_HOME/secrets/master.key,dst=/master.key" \
  --mount "type=bind,src=$JENKINS_HOME/secrets/hudson.util.Secret,dst=/hudson.util.Secret" \
  --mount "type=bind,src=$JENKINS_HOME/credentials.xml,dst=/credentials.xml" \
  docker.io/hoto/jenkins-credentials-decryptor:latest \
  /jenkins-credentials-decryptor \
    -m master.key \
    -s hudson.util.Secret \
    -c credentials.xml \
    -o json

With files locally:

docker run \
  --rm \
  --network none \
  --workdir / \
  --mount "type=bind,src=$PWD/master.key,dst=/master.key" \
  --mount "type=bind,src=$PWD/hudson.util.Secret,dst=/hudson.util.Secret" \
  --mount "type=bind,src=$PWD/credentials.xml,dst=/credentials.xml" \
  docker.io/hoto/jenkins-credentials-decryptor:latest \
  /jenkins-credentials-decryptor \
    -m master.key \
    -s hudson.util.Secret \
    -c credentials.xml \
    -o json

Nix

Assuming you have enabled Flakes in your Nix configuration, you can use the provided flake.nix to build and run this project.

  • To build and run the binary without installing it: nix run github:hoto/jenkins-credentials-decryptor -- --help
  • To install in the current profile: nix profile install github:hoto/jenkins-credentials-decryptor

Build Locally

If you are worried about executing a random binary from the internet then:

git clone https://github.com/hoto/jenkins-credentials-decryptor.git
make build

Binary will be located at bin/jenkins-credentials-decryptor.


Example output

Json output format:

$ ./jenkins-credentials-decryptor \
       -m master.key \
       -s hudson.util.Secret \
       -c credentials.xml \
       -o json
      
[
  {
    "description": "Vault admin",
    "id": "vault-admin",
    "username": "admin",
    "password": "9cy7Mbw@1Omm7db@q6eP3k62Wm*ev#",
    "scope": "GLOBAL"
  }
]

Text output format:

$ ./jenkins-credentials-decryptor \
       -m master.key \
       -s hudson.util.Secret \
       -c credentials.xml \
       -o text
      
0
        description: Vault admin
        id: vault-admin
        username: admin
        password: 9cy7Mbw@1Omm7db@q6eP3k62Wm*ev#
        scope: GLOBAL

Development

Clone:

mkdir -p $GOPATH/src/github.com/hoto
cd $GOPATH/src/github.com/hoto
git clone https://github.com/hoto/jenkins-credentials-decryptor.git

Download dependencies:

make dependencies

Build and test:

make clean
make build
make test

Run a good ol' fashion manual smoke test:

make smoke-test-json
make smoke-test-text

Install to global golang bin directory:

make install

Following Standard Go Project Layout