• Stars
    star
    155
  • Rank 240,864 (Top 5 %)
  • Language
    Go
  • License
    MIT License
  • Created over 5 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Command line tool for dumping Jenkins credentials.

Software License Build status Release Powered By: goreleaser Go Report Card Maintainability

Jenkins Credentials Decryptor

Command line tool for decrypting and dumping Jenkins credentials.

What is this all about

Jenkins stores encrypted credentials in the credentials.xml file or in config.xml. To decrypt them you need the master.key and hudson.util.Secret files.

All files are located inside Jenkins home directory:

$JENKINS_HOME/credentials.xml 
$JENKINS_HOME/secrets/master.key
$JENKINS_HOME/secrets/hudson.util.Secret
$JENKINS_HOME/jobs/example-folder/config.xml - Possible location

Compatibility

I've tested this on Jenkins 1.625.1 and 2.141

Run using a binary

Mac:

brew install hoto/repo/jenkins-credentials-decryptor

Mac or Linux:

curl -L \
  "https://github.com/hoto/jenkins-credentials-decryptor/releases/download/1.2.0/jenkins-credentials-decryptor_1.2.0_$(uname -s)_$(uname -m)" \
   -o jenkins-credentials-decryptor

chmod +x jenkins-credentials-decryptor

Or manually download binary from releases.

Help:

./jenkins-credentials-decryptor --help
./jenkins-credentials-decryptor --version

SSH into Jenkins box and run:

./jenkins-credentials-decryptor \
  -m $JENKINS_HOME/secrets/master.key \
  -s $JENKINS_HOME/secrets/hudson.util.Secret \
  -c $JENKINS_HOME/credentials.xml \
  -o json

Or if you have the files locally:

./jenkins-credentials-decryptor \
  -m master.key \
  -s hudson.util.Secret \
  -c credentials.xml \
  -o json

Run using docker

If you are worried about the binary sending your credentials over the network (it does not do that) then run a container with disabled network:

From Jenkins box:

docker run \
  --rm \
  --network none \
  --workdir / \
  --mount "type=bind,src=$JENKINS_HOME/secrets/master.key,dst=/master.key" \
  --mount "type=bind,src=$JENKINS_HOME/secrets/hudson.util.Secret,dst=/hudson.util.Secret" \
  --mount "type=bind,src=$JENKINS_HOME/credentials.xml,dst=/credentials.xml" \
  docker.io/hoto/jenkins-credentials-decryptor:latest \
  /jenkins-credentials-decryptor \
    -m master.key \
    -s hudson.util.Secret \
    -c credentials.xml \
    -o json

With files locally:

docker run \
  --rm \
  --network none \
  --workdir / \
  --mount "type=bind,src=$PWD/master.key,dst=/master.key" \
  --mount "type=bind,src=$PWD/hudson.util.Secret,dst=/hudson.util.Secret" \
  --mount "type=bind,src=$PWD/credentials.xml,dst=/credentials.xml" \
  docker.io/hoto/jenkins-credentials-decryptor:latest \
  /jenkins-credentials-decryptor \
    -m master.key \
    -s hudson.util.Secret \
    -c credentials.xml \
    -o json

Build the binary yourself

If you are worried about executing a random binary from the internet then:

git clone https://github.com/hoto/jenkins-credentials-decryptor.git
make build

Binary will be located at bin/jenkins-credentials-decryptor.


Example output

Json output format:

$ ./jenkins-credentials-decryptor \
       -m master.key \
       -s hudson.util.Secret \
       -c credentials.xml \
       -o json
      
[
  {
    "description": "Vault admin",
    "id": "vault-admin",
    "username": "admin",
    "password": "9cy7Mbw@1Omm7db@q6eP3k62Wm*ev#",
    "scope": "GLOBAL"
  }
]

Text output format:

$ ./jenkins-credentials-decryptor \
       -m master.key \
       -s hudson.util.Secret \
       -c credentials.xml \
       -o text
      
0
        description: Vault admin
        id: vault-admin
        username: admin
        password: 9cy7Mbw@1Omm7db@q6eP3k62Wm*ev#
        scope: GLOBAL

Development

Clone:

mkdir -p $GOPATH/src/github.com/hoto
cd $GOPATH/src/github.com/hoto
git clone https://github.com/hoto/jenkins-credentials-decryptor.git

Download dependencies:

make dependencies

Build and test:

make clean
make build
make test

Run a good ol' fashion manual smoke test:

make smoke-test-json
make smoke-test-text

Install to global golang bin directory:

make install

Following Standard Go Project Layout