Skip to content
Command line tool for dumping Jenkins credentials.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci
cmd/jenkins-credentials-decryptor
pkg
test/resources
.dockerignore
.editorconfig
.gitattributes
.gitignore
.goreleaser.yml
Dockerfile
Gopkg.lock
Gopkg.toml
LICENSE
Makefile
README.md

README.md

Docker hub CircleCI Go Report Card Maintainability Release

Jenkins Credentials Decryptor

Command line tool for decrypting and dumping Jenkins credentials.

What is this all about

Jenkins stores encrypted credentials in credentials.xml file.
To decrypt them you need the master.key and hudson.util.Secret files.

All three files are located inside Jenkins home directory:

$JENKINS_HOME/credentials.xml 
$JENKINS_HOME/secrets/master.key
$JENKINS_HOME/secrets/hudson.util.Secret

Compatibility

I've tested this on Jenkins 1.625.1 and 2.141

Run using a binary

Download binary from releases, Linux and Mac only:

curl -L \
  "https://github.com/hoto/jenkins-credentials-decryptor/releases/download/0.0.5-alpha/jenkins-credentials-decryptor_0.0.5-alpha_$(uname -s)_$(uname -m)" \
   -o jenkins-credentials-decryptor

chmod +x jenkins-credentials-decryptor

SSH into Jenkins box and run:

./jenkins-credentials-decryptor \
  -m $JENKINS_HOME/secrets/master.key \
  -s $JENKINS_HOME/secrets/hudson.util.Secret \
  -c $JENKINS_HOME/credentials.xml 

Or if you have the files locally:

./jenkins-credentials-decryptor \
  -m master.key \
  -s hudson.util.Secret \
  -c credentials.xml 

Run using docker

If you are worried about me sending your credentials over the network (I can assure you I don't do that) then run a container with disabled network:

From Jenkins box:

docker run \
  --rm \
  --network none \
  --workdir / \
  --mount "type=bind,src=$JENKINS_HOME/secrets/master.key,dst=/master.key" \
  --mount "type=bind,src=$JENKINS_HOME/secrets/hudson.util.Secret,dst=/hudson.util.Secret" \
  --mount "type=bind,src=$JENKINS_HOME/credentials.xml,dst=/credentials.xml" \
  docker.io/hoto/jenkins-credentials-decryptor:latest \
  /jenkins-credentials-decryptor \
    -m master.key \
    -s hudson.util.Secret \
    -c credentials.xml 

With files locally:

docker run \
  --rm \
  --network none \
  --workdir / \
  --mount "type=bind,src=$PWD/master.key,dst=/master.key" \
  --mount "type=bind,src=$PWD/hudson.util.Secret,dst=/hudson.util.Secret" \
  --mount "type=bind,src=$PWD/credentials.xml,dst=/credentials.xml" \
  docker.io/hoto/jenkins-credentials-decryptor:latest \
  /jenkins-credentials-decryptor \
    -m master.key \
    -s hudson.util.Secret \
    -c credentials.xml 

Build the binary yourself

If you are worried about executing a random binary from the internet then:

git clone https://github.com/hoto/jenkins-credentials-decryptor.git
make build

Binary will be in the bin folder.


Development

Get:

go get github.com/hoto/jenkins-credentials-decryptor/cmd/jenkins-credentials-decryptor/

Download dependencies:

make dependencies

Build and test:

make clean
make build
make test

Install to global golang bin directory:

make install

Following Standard Go Project Layout

You can’t perform that action at this time.