Jenkins: Credentials Plugin – Decrypt Password

Jenkins credentials plugin hides secrets like passwords and SSH or API keys by encrypting them.

Nevertheless these credentials can be decrypted and printed in a plain text.

In this note i will show 2 ways of how to decrypt secrets masked by Jenkins credentials plugin.

Cool Tip: Private encrypted cloud storage based on Dropbox + EncFS! Read More →

Decrypt Jenkins Credentials – Jenkins Pipeline

Below you will find Jenkins pipeline examples that can be used to decrypt secrets stored in Jenkins credentials.

Info: Replace credentials-id with the corresponding values.

Print username and decrypted password:

node {
  stage('Jenkins Credentials | Decrypt Password') {
    withCredentials([usernamePassword(credentialsId: 'credentials-id',
                                      passwordVariable: 'password',
                                      usernameVariable: 'username')]) {
      creds = "\nUsername: ${username}\nPassword: ${password}\n"
    }
    println creds
  }
}

Show the contents of the secret file:

node {
  stage('Jenkins Credentials | Decrypt Secret File') {
    withCredentials([file(credentialsId: 'credentials-id',
                          variable: 'secretFile')]) {
      sh "cat ${secretFile}"
    }
  }
}

Show decrypted secret text string (e.g. API key):

node {
  stage('Jenkins Credentials | Decrypt Secret Text String') {
    withCredentials([string(credentialsId: 'credentials-id',
                            variable: 'secretText')]) {
      apiKey = "\nAPI key: ${secretText}\n"
    }
    println apiKey
  }
}

Get SSH username and a private key:

node {
  stage('Jenkins Credentials | Decrypt SSH key') {
    withCredentials([sshUserPrivateKey(credentialsId: 'credentials-id',
                                       keyFileVariable: 'key',
                                       usernameVariable: 'username')]) {
      creds = "\nUsername: ${username}\n"
      sh "cat ${key}"
    }
    println creds
  }
}

Get SSH username, private key and display a passphrase:

node {
  stage('Jenkins Credentials | Decrypt SSH key') {
    withCredentials([sshUserPrivateKey(credentialsId: 'credentials-id',
                                       keyFileVariable: 'key',
                                       usernameVariable: 'username',
                                       passphraseVariable: 'passphrase')]) {
      creds = "\nUsername: ${username}\nPassphrase: ${passphrase}\n"
      sh "cat ${key}"
    }
    println creds
  }
}

Decrypt ‘credentials.xml’ – Groovy Script

Another way to decrypt Jenkins credentials is to execute a Groovy script on a Jenkins server.

By default, Jenkins stores encrypted secrets in credentials.xml file.

You can get the encrypted secret from that file on the Jenkins server or you can simply open the page with the needed credentials in the web-interface of Jenkins, click on Update, open the source code of the page in a browser and you will see the encrypted secrets in the appropriate data fields.

Encrypted: {AQAAABAAAAAgYLJWCZtomd4hxJcnqmU...hr6V7AP3JEF77Sidql2V66}

To decrypt the encrypted data, open the Jenkins script console by visiting http(s)://${JENKINS_URL}/script and execute the following Groovy script:

println(hudson.util.Secret.decrypt(
    "{AQAAABAAAAAgYLJWCZtomd4hxJcnqmUgSI9q7hC9mnUt0zI/ATVpv5hr6V7AP3JEF77Sidql2V66}"
  )
)

Cool Tip: Encrypt files and messages with a password from the Linux command line, using OpenSSL! Read More →