Recover DB password stored in my DBeaver connection

Question

I forgot the password of a dev instance (irresponsible.. yeah, I am working on it). I have the connection saved in my DBeaver with the password. I am still able to connect using that connection. DBeaver is not showing it in plain text. Is there anyway I can retrieve the password? Asking DBA to reset the password is the last resort. I tried to copy paste to a notepad, copying is disabled apparently.

Answer 1

Edit: For DBeaver 6.1.3+

The credential file is located ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json (I was on Mac) and it follows a different encryption strategy than it's predecessors. Please refer the next answer to see how to decrypt. It works like a charm.

Pre- DBeaver 6.1.3

Follow these steps (My DBeaver version was 3.5.8 and it was on Mac OsX El Capitan)

1. Locate the file in which DBeaver stores the connection details. For me, it was in this location ~/.dbeaver/General/.dbeaver-data-sources.xml. This file is hidden, so keep that in mind when you look for it.
2. Locate your interested Datasource Definition node in that file.
3. Decrypt the password: Unfortunately, everything is in plain text except password; Password is in some kind of Encrypted form. Decrypt it to plain-text using this tool.

Or

I put together a quick and dirty Java program by copying core of DBeaver's method for decrypting the password. Once you have the Encrypted password string, just execute this program, it will convert the password to plain text and prints it

How to run it

On Line Number 13, just replace OwEKLE4jpQ== with whatever encrypted password you are finding in .dbeaver-data-sources.xml file for your interested datasource. Compile it and run it, it will print the plain-text password.

https://github.com/jaisonpjohn/dbeaver-password-retriever/blob/master/SimpleStringEncrypter.java

Edit

Apparently, this is a "Popular" mistake. So I have deployed an AWS lambda function with the aforementioned code. Use this at your own risk, you will never know whether I am logging your password or not 😬

curl https://lmqm83ysii.execute-api.us-west-2.amazonaws.com/prod/dbeaver-password-decrypter \
-X POST --data "OwEKLE4jpQ=="

Edit 2

Even better, here is the UI https://bugdays.com/dbeaver-password-decrypter. This goes without saying, use this at your own risk 😬

Answer 2

This can be done with OpenSSL:

openssl aes-128-cbc -d \
  -K babb4a9f774ab853c96c2d653dfe544a \
  -iv 00000000000000000000000000000000 \
  -in credentials-config.json | \
  dd bs=1 skip=16 2>/dev/null

Example for macOS in one line:

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "${HOME}/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

For Linux, change the above path to ~/.local/share/DBeaverData/workspace6/General/.dbeaver/credentials-config.json.

The key is from the source and is converted to hexadecimal. This can be done in Python:

>>> import struct
>>> struct.pack('<16b', -70, -69, 74, -97, 119, 74, -72, 83, -55, 108, 45, 101, 61, -2, 84, 74).hex()
'babb4a9f774ab853c96c2d653dfe544a'

Edit: I've published the script for this here.

Answer 3

For DBeaver 6.1.3+ the creds are stored in a "json" file now with different encryption.

This seemed to do the job for me:

import javax.crypto.*;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.*;

public class DecryptDbeaver {

  // from the DBeaver source 8/23/19 https://github.com/dbeaver/dbeaver/blob/57cec8ddfdbbf311261ebd0c7f957fdcd80a085f/plugins/org.jkiss.dbeaver.model/src/org/jkiss/dbeaver/model/impl/app/DefaultSecureStorage.java#L31
  private static final byte[] LOCAL_KEY_CACHE = new byte[] { -70, -69, 74, -97, 119, 74, -72, 83, -55, 108, 45, 101, 61, -2, 84, 74 };

  static String decrypt(byte[] contents) throws InvalidAlgorithmParameterException, InvalidKeyException, IOException, NoSuchPaddingException, NoSuchAlgorithmException {
    try (InputStream byteStream = new ByteArrayInputStream(contents)) {
      byte[] fileIv = new byte[16];
      byteStream.read(fileIv);
      Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
      SecretKey aes = new SecretKeySpec(LOCAL_KEY_CACHE, "AES");
      cipher.init(Cipher.DECRYPT_MODE, aes, new IvParameterSpec(fileIv));
      try (CipherInputStream cipherIn = new CipherInputStream(byteStream, cipher)) {
        return inputStreamToString(cipherIn);
      }
    }
  }

  static String inputStreamToString(java.io.InputStream is) {
    java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
    return s.hasNext() ? s.next() : "";
  }

  public static void main(String[] args) throws Exception {
    if (args.length != 1) {
      System.err.println("syntax: param1: full path to your credentials-config.json file");
      System.exit(1);
    }
    System.out.println(decrypt(Files.readAllBytes(Paths.get(args[0]))));
  }

}

Pass it the path of your credentials-config.json file on local filesystem, for me it was

 Compile it
 $ javac DecryptDbeaver.java
 Now run it [adjusts the paths to target your credentials-config.json file]
 $ java DecryptDbeaver ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json
 Or if java 11+:
 $ java DecryptDbeaver.java ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json

It will output to the console the user+pass for connections.

{"postgres-jdbc-some-id":{"#connection":{"user":"your_user_name","password":"your_password"...

If you don't recognize which password goes to which DB based on username, you must cross link the id names it also outputs initially to the sibling data-sources.json file (which should already be present and unencrypted and contains database coordinates).