Command line tool for decrypting and dumping Jenkins credentials.
Jenkins stores encrypted credentials in the credentials.xml
file or in config.xml
.
To decrypt them you need the master.key
and hudson.util.Secret
files.
All files are located inside Jenkins home directory:
$JENKINS_HOME/credentials.xml
$JENKINS_HOME/secrets/master.key
$JENKINS_HOME/secrets/hudson.util.Secret
$JENKINS_HOME/jobs/example-folder/config.xml - Possible location
I've tested this on Jenkins 1.625.1 and 2.141
Mac (Intel CPU only):
brew install hoto/repo/jenkins-credentials-decryptor
Mac (Intel CPU only) or Linux:
curl -L \
"https://github.com/hoto/jenkins-credentials-decryptor/releases/download/1.2.2/jenkins-credentials-decryptor_1.2.2_$(uname -s)_$(uname -m)" \
-o jenkins-credentials-decryptor
chmod +x jenkins-credentials-decryptor
Or manually download binary from releases.
Help:
./jenkins-credentials-decryptor --help
./jenkins-credentials-decryptor --version
SSH into Jenkins box and run:
./jenkins-credentials-decryptor \
-m $JENKINS_HOME/secrets/master.key \
-s $JENKINS_HOME/secrets/hudson.util.Secret \
-c $JENKINS_HOME/credentials.xml \
-o json
Or if you have the files locally:
./jenkins-credentials-decryptor \
-m master.key \
-s hudson.util.Secret \
-c credentials.xml \
-o json
If you are worried about the binary sending your credentials over the network (it does not do that) then run a container with disabled network:
From Jenkins box:
docker run \
--rm \
--network none \
--workdir / \
--mount "type=bind,src=$JENKINS_HOME/secrets/master.key,dst=/master.key" \
--mount "type=bind,src=$JENKINS_HOME/secrets/hudson.util.Secret,dst=/hudson.util.Secret" \
--mount "type=bind,src=$JENKINS_HOME/credentials.xml,dst=/credentials.xml" \
docker.io/hoto/jenkins-credentials-decryptor:latest \
/jenkins-credentials-decryptor \
-m master.key \
-s hudson.util.Secret \
-c credentials.xml \
-o json
With files locally:
docker run \
--rm \
--network none \
--workdir / \
--mount "type=bind,src=$PWD/master.key,dst=/master.key" \
--mount "type=bind,src=$PWD/hudson.util.Secret,dst=/hudson.util.Secret" \
--mount "type=bind,src=$PWD/credentials.xml,dst=/credentials.xml" \
docker.io/hoto/jenkins-credentials-decryptor:latest \
/jenkins-credentials-decryptor \
-m master.key \
-s hudson.util.Secret \
-c credentials.xml \
-o json
Assuming you have enabled Flakes in your Nix configuration, you can use the provided flake.nix
to build and run this project.
- To build and run the binary without installing it:
nix run github:hoto/jenkins-credentials-decryptor -- --help
- To install in the current profile:
nix profile install github:hoto/jenkins-credentials-decryptor
If you are worried about executing a random binary from the internet then:
git clone https://github.com/hoto/jenkins-credentials-decryptor.git
make build
Binary will be located at bin/jenkins-credentials-decryptor
.
Json output format:
$ ./jenkins-credentials-decryptor \
-m master.key \
-s hudson.util.Secret \
-c credentials.xml \
-o json
[
{
"description": "Vault admin",
"id": "vault-admin",
"username": "admin",
"password": "9cy7Mbw@1Omm7db@q6eP3k62Wm*ev#",
"scope": "GLOBAL"
}
]
Text output format:
$ ./jenkins-credentials-decryptor \
-m master.key \
-s hudson.util.Secret \
-c credentials.xml \
-o text
0
description: Vault admin
id: vault-admin
username: admin
password: 9cy7Mbw@1Omm7db@q6eP3k62Wm*ev#
scope: GLOBAL
Clone:
mkdir -p $GOPATH/src/github.com/hoto
cd $GOPATH/src/github.com/hoto
git clone https://github.com/hoto/jenkins-credentials-decryptor.git
Download dependencies:
make dependencies
Build and test:
make clean
make build
make test
Run a good ol' fashion manual smoke test:
make smoke-test-json
make smoke-test-text
Install to global golang bin directory:
make install
Following Standard Go Project Layout