Jenkins Credentials Decryptor

Command line tool for decrypting and dumping Jenkins credentials.

What is this all about

Jenkins stores encrypted credentials in the credentials.xml file or in config.xml. To decrypt them you need the master.key and hudson.util.Secret files.

All files are located inside Jenkins home directory:

$JENKINS_HOME/credentials.xml 
$JENKINS_HOME/secrets/master.key
$JENKINS_HOME/secrets/hudson.util.Secret
$JENKINS_HOME/jobs/example-folder/config.xml - Possible location

Compatibility

I've tested this on Jenkins 1.625.1 and 2.141

Run using a binary

Mac (Intel CPU only):

brew install hoto/repo/jenkins-credentials-decryptor

Mac (Intel CPU only) or Linux:

curl -L \
  "https://github.com/hoto/jenkins-credentials-decryptor/releases/download/1.2.2/jenkins-credentials-decryptor_1.2.2_$(uname -s)_$(uname -m)" \
   -o jenkins-credentials-decryptor

chmod +x jenkins-credentials-decryptor

Or manually download binary from releases.

Help:

./jenkins-credentials-decryptor --help
./jenkins-credentials-decryptor --version

SSH into Jenkins box and run:

./jenkins-credentials-decryptor \
  -m $JENKINS_HOME/secrets/master.key \
  -s $JENKINS_HOME/secrets/hudson.util.Secret \
  -c $JENKINS_HOME/credentials.xml \
  -o json

Or if you have the files locally:

./jenkins-credentials-decryptor \
  -m master.key \
  -s hudson.util.Secret \
  -c credentials.xml \
  -o json

Run using docker

If you are worried about the binary sending your credentials over the network (it does not do that) then run a container with disabled network:

From Jenkins box:

docker run \
  --rm \
  --network none \
  --workdir / \
  --mount "type=bind,src=$JENKINS_HOME/secrets/master.key,dst=/master.key" \
  --mount "type=bind,src=$JENKINS_HOME/secrets/hudson.util.Secret,dst=/hudson.util.Secret" \
  --mount "type=bind,src=$JENKINS_HOME/credentials.xml,dst=/credentials.xml" \
  docker.io/hoto/jenkins-credentials-decryptor:latest \
  /jenkins-credentials-decryptor \
    -m master.key \
    -s hudson.util.Secret \
    -c credentials.xml \
    -o json

With files locally:

docker run \
  --rm \
  --network none \
  --workdir / \
  --mount "type=bind,src=$PWD/master.key,dst=/master.key" \
  --mount "type=bind,src=$PWD/hudson.util.Secret,dst=/hudson.util.Secret" \
  --mount "type=bind,src=$PWD/credentials.xml,dst=/credentials.xml" \
  docker.io/hoto/jenkins-credentials-decryptor:latest \
  /jenkins-credentials-decryptor \
    -m master.key \
    -s hudson.util.Secret \
    -c credentials.xml \
    -o json

Build the binary yourself

If you are worried about executing a random binary from the internet then:

git clone https://github.com/hoto/jenkins-credentials-decryptor.git
make build

Binary will be located at bin/jenkins-credentials-decryptor.

---

Example output

Json output format:

$ ./jenkins-credentials-decryptor \
       -m master.key \
       -s hudson.util.Secret \
       -c credentials.xml \
       -o json
      
[
  {
    "description": "Vault admin",
    "id": "vault-admin",
    "username": "admin",
    "password": "9cy7Mbw@1Omm7db@q6eP3k62Wm*ev#",
    "scope": "GLOBAL"
  }
]

Text output format:

$ ./jenkins-credentials-decryptor \
       -m master.key \
       -s hudson.util.Secret \
       -c credentials.xml \
       -o text
      
0
        description: Vault admin
        id: vault-admin
        username: admin
        password: 9cy7Mbw@1Omm7db@q6eP3k62Wm*ev#
        scope: GLOBAL

---

Development

Clone:

mkdir -p $GOPATH/src/github.com/hoto
cd $GOPATH/src/github.com/hoto
git clone https://github.com/hoto/jenkins-credentials-decryptor.git

Download dependencies:

make dependencies

Build and test:

make clean
make build
make test

Run a good ol' fashion manual smoke test:

make smoke-test-json
make smoke-test-text

Install to global golang bin directory:

make install

---

Following Standard Go Project Layout