What password encryption Jenkins is using?

Question

I am modifying an xml of a Jenkins job. There is a field which is a password. When I get the xml, where it was the raw password now there is a hash.

What I need is to know how to create this hash from the raw password value.

  <scm class="com.deluan.jenkins.plugins.rtc.JazzSCM">     <username>user</username>     <password>zlvnUMF1/hXwe3PLoitMpQ6BuQHBJ1FnpH7vmMmQ2qk=</password>   </scm> 

I have been reading Jenkins source code and I think the class HudsonPrivateSecurityRealm.java is involved but I am not sure about the salt parameter.

PS: This is not for the Jenkins password is for a plugin which in the job configuration it has a password field.

Answer 1

In fact, it's not a hash but rather an encrypted password. I guess encryption keys are stored in the master node. Actually, you can decrypt the password by executing following groovy script on master's script console

import hudson.util.Secret  def secret = Secret.fromString("zlvnUMF1/hXwe3PLoitMpQ6BuQHBJ1FnpH7vmMmQ2qk=") println(secret.getPlainText()) 

and if you want to encrypt the password, then

import hudson.util.Secret  def secret = Secret.fromString("your password") println(secret.getEncryptedValue()) 

A password encrypted on a computer can be decrypted only on that particular computer since keys are randomly generated and obviously on different machines the keys are different.

Check out core/src/main/java/hudson/util/Secret.java for more details

Answer 2

Another possibility would be to execute a Groovy script via Jenkins Groovy console (you can reach it via JENKINS_URL/script):

println(hudson.util.Secret.decrypt("zlvnUMF1/hXwe3PLoitMpQ6BuQHBJ1FnpH7vmMmQ2qk="))  

Some other ways would be possible with python:

https://github.com/tweksteen/jenkins-decrypt
https://gist.github.com/menski/8f9980999ed43246b9b2