Sometimes, we need to get the credentials that are stored in Jenkins in plaintext. Jenkins does not allow to view the credentials rather only update the credentials. So in this blog post we will go through the steps to recover the credentials from Jenkins.
Credential Types
Jenkins gives the options of storing credentials in the following ways:
- Username with password
- GitHub App
- SSH Username with private key
- Secret file
- Secret text
- Certificate
Common key ids we are interested in that are used by Jenkins to store credentials:
hudson.util.Secret
: used for generic secretscom.cloudbees.plugins.credentials.SecretBytes.KEY
: used for some credentials types
Recovering Credentials
In this section, we will be recovering each type of credential. I have created sample credentials for each type as shown below:
Script Console
Groovy scripts can be run in the script console with the URL: <https://jenkins-url:jenkins-port/script>
Running below one-liner will display all the saved credentials:
As seen above the script shows all the credential details in plaintext. However, you must have noticed that some of the credential types like SecretBytes are still not shown in plain text.
The XML file containing the credential details can be found at $JENKINS_HOME/credentials.xml
The credentials.xml file contents generated by Jenkins for this example:
So we will go through each credential type and decrypt them.
1. Username with password
For decrypting the password we run the below script:
The password is shown in plaintext: