Sign upLogin

hoto/jenkins-credentials-decryptor

View on GitHub
Star
README.md

Summary

Maintainability
Test Coverage
[![Software License](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](/LICENSE)
[![Build status](https://github.com/hoto/jenkins-credentials-decryptor/workflows/Test/badge.svg?branch=master)](https://github.com/hoto/jenkins-credentials-decryptor/actions)
[![Release](https://img.shields.io/github/release/hoto/jenkins-credentials-decryptor.svg?style=flat-square)](https://github.com/hoto/jenkins-credentials-decryptor/releases/latest)
[![Powered By: goreleaser](https://img.shields.io/badge/powered%20by-goreleaser-green.svg?style=flat-square)](https://github.com/goreleaser/goreleaser)
[![Go Report Card](https://goreportcard.com/badge/github.com/hoto/jenkins-credentials-decryptor)](https://goreportcard.com/report/github.com/hoto/jenkins-credentials-decryptor)
[![Maintainability](https://api.codeclimate.com/v1/badges/27f61a82b9a5589f1a07/maintainability)](https://codeclimate.com/github/hoto/jenkins-credentials-decryptor/maintainability)
# Jenkins Credentials Decryptor

Command line tool for decrypting and dumping Jenkins credentials.

### What is this all about

Jenkins stores encrypted credentials in the `credentials.xml` file or in `config.xml`. 
To decrypt them you need the `master.key` and `hudson.util.Secret` files.  

All files are located inside Jenkins home directory:

    $JENKINS_HOME/credentials.xml 
    $JENKINS_HOME/secrets/master.key
    $JENKINS_HOME/secrets/hudson.util.Secret
    $JENKINS_HOME/jobs/example-folder/config.xml - Possible location

### Compatibility

I've tested this on Jenkins 1.625.1 and 2.141

### Run using a binary

Mac (Intel CPU only):

    brew install hoto/repo/jenkins-credentials-decryptor

Mac (Intel CPU only) or Linux:

    curl -L \
      "https://github.com/hoto/jenkins-credentials-decryptor/releases/download/1.2.2/jenkins-credentials-decryptor_1.2.2_$(uname -s)_$(uname -m)" \
       -o jenkins-credentials-decryptor

    chmod +x jenkins-credentials-decryptor
    
Or manually download binary from [releases](https://github.com/hoto/jenkins-credentials-decryptor/releases).

Help:

    ./jenkins-credentials-decryptor --help
    ./jenkins-credentials-decryptor --version

SSH into Jenkins box and run:

    ./jenkins-credentials-decryptor \
      -m $JENKINS_HOME/secrets/master.key \
      -s $JENKINS_HOME/secrets/hudson.util.Secret \
      -c $JENKINS_HOME/credentials.xml \
      -o json
      
Or if you have the files locally:

    ./jenkins-credentials-decryptor \
      -m master.key \
      -s hudson.util.Secret \
      -c credentials.xml \
      -o json
      
### Run using docker
    
If you are worried about the binary sending your credentials over the network (it does not do that) 
then run a container with disabled network:

From Jenkins box:

    docker run \
      --rm \
      --network none \
      --workdir / \
      --mount "type=bind,src=$JENKINS_HOME/secrets/master.key,dst=/master.key" \
      --mount "type=bind,src=$JENKINS_HOME/secrets/hudson.util.Secret,dst=/hudson.util.Secret" \
      --mount "type=bind,src=$JENKINS_HOME/credentials.xml,dst=/credentials.xml" \
      docker.io/hoto/jenkins-credentials-decryptor:latest \
      /jenkins-credentials-decryptor \
        -m master.key \
        -s hudson.util.Secret \
        -c credentials.xml \
        -o json

With files locally:

    docker run \
      --rm \
      --network none \
      --workdir / \
      --mount "type=bind,src=$PWD/master.key,dst=/master.key" \
      --mount "type=bind,src=$PWD/hudson.util.Secret,dst=/hudson.util.Secret" \
      --mount "type=bind,src=$PWD/credentials.xml,dst=/credentials.xml" \
      docker.io/hoto/jenkins-credentials-decryptor:latest \
      /jenkins-credentials-decryptor \
        -m master.key \
        -s hudson.util.Secret \
        -c credentials.xml \
        -o json
        
### Build the binary yourself

If you are worried about executing a random binary from the internet then:

    git clone https://github.com/hoto/jenkins-credentials-decryptor.git
    make build
    
Binary will be located at `bin/jenkins-credentials-decryptor`.

---

### Example output

Json output format:

    $ ./jenkins-credentials-decryptor \
           -m master.key \
           -s hudson.util.Secret \
           -c credentials.xml \
           -o json
          
    [
      {
        "description": "Vault admin",
        "id": "vault-admin",
        "username": "admin",
        "password": "9cy7Mbw@1Omm7db@q6eP3k62Wm*ev#",
        "scope": "GLOBAL"
      }
    ]

Text output format:
 
    $ ./jenkins-credentials-decryptor \
           -m master.key \
           -s hudson.util.Secret \
           -c credentials.xml \
           -o text
          
    0
            description: Vault admin
            id: vault-admin
            username: admin
            password: 9cy7Mbw@1Omm7db@q6eP3k62Wm*ev#
            scope: GLOBAL

---
 
### Development

Clone:

    mkdir -p $GOPATH/src/github.com/hoto
    cd $GOPATH/src/github.com/hoto
    git clone https://github.com/hoto/jenkins-credentials-decryptor.git

Download dependencies:

    make dependencies

Build and test:

    make clean
    make build
    make test
    
Run a good ol' fashion manual smoke test:

    make smoke-test-json
    make smoke-test-text

Install to global golang bin directory:

    make install

---
_Following_ [_Standard Go Project Layout_](https://github.com/golang-standards/project-layout)