Thursday, September 28, 2023

Jenkins: Recover Credentials

 Sometimes, we need to get the credentials that are stored in Jenkins in plaintext. Jenkins does not allow to view the credentials rather only update the credentials. So in this blog post we will go through the steps to recover the credentials from Jenkins.

 Credential Types


Jenkins gives the options of storing credentials in the following ways:
  1. Username with password
  2. GitHub App
  3. SSH Username with private key
  4. Secret file
  5. Secret text
  6. Certificate
Common key ids we are interested in that are used by Jenkins to store credentials:

  • hudson.util.Secret: used for generic secrets

  • com.cloudbees.plugins.credentials.SecretBytes.KEY: used for some credentials types

Recovering Credentials


In this section, we will be recovering each type of credential. I have created sample credentials for each type as shown below:


Script Console


Groovy scripts can be run in the script console with the URL: <https://jenkins-url:jenkins-port/script>

Running below one-liner will display all the saved credentials:



As seen above the script shows all the credential details in plaintext. However, you must have noticed that some of the credential types like SecretBytes are still not shown in plain text. 

The XML file containing the credential details can be found at $JENKINS_HOME/credentials.xml

The credentials.xml file contents generated by Jenkins for this example:


So we will go through each credential type and decrypt them. 

1. Username with password


The credential details for the id admin-creds is as follows:



For decrypting the password we run the below script:


The password is shown in plaintext:


2. Secret File



The file contents are saved as SecretBytes. So to decrypt them we run the below script:


The file contents are shown in plaintext:

3. Secret Text



The file contents are saved as Secret. So to decrypt them we run the below script:


The file contents are shown in plaintext:

4. Certificate



The file contents are saved as uploadedKeystoreBytes. So to decrypt them we run the below script:


The file contents are shown in plaintext:


The password can be decypted as mentioned in 1-Username with password and 3-Secret Text.


5. SSH Username with private key



The password and privatekey for SSH can be decrypted with:



6. GitHub App



To decrypt the github-app credentials we can follow the previous steps for cachedToken and privateKey using either Secret or SecretBytes decryption function.