What password encryption Jenkins is using?

Question

I am modifying an xml of a Jenkins job. There is a field which is a password. When I get the xml, where it was the raw password now there is a hash.

What I need is to

Answer 1

Jenkins uses AES-128-ECB for all its encryptions. It basically uses the master.key file to encrypt the key stored in hudson.util.Secret file. This key is then used to encrypt the password in credentials.xml.

So to decrypt Jenkins password, you need basically access to hudson.util.Secret and master.key files. You can check exactly how Jenkins encrypts the password by looking into hudson.utils.Secret class and its fromString method. Basically the password is concatenated with a magic before being encrypted using KEY.

For more details, please check: Credentials storage in Jenkins.

---

To decrypt the password, follow these steps:

1. While logged in as admin in Jenkins, go to: /script page.

2. Run the following command:

   println(hudson.util.Secret.decrypt("{XXX=}"))
   

   or:

   println(hudson.util.Secret.fromString("{XXX=}").getPlainText())
   

   where {XXX=} is your encrypted password. This will print the plain password.

   To do opposite, run:

   println(hudson.util.Secret.fromString("some_text").getEncryptedValue())
   

^{Source: gist at tuxfight3r/jenkins-decrypt.groovy.}

---

Alternatively check the following scripts: tweksteen/jenkins-decrypt, menski/jenkins-decrypt.py.