Jenkins Security: Understanding and Recovering Encrypted Credentials

2026-02-01 · 3 min read

When Jenkins interacts with cloud services or private repositories, security is essential. To handle this, Jenkins uses a Credentials system to store secret text, usernames, and SSH keys. These are stored in an encrypted format on the Jenkins controller to prevent plain-text exposure.

However, encryption is only as secure as the management of its keys. If an attacker (or an admin) has access to the Jenkins filesystem and the encryption keys, these secrets can be decrypted.

Process to Recover Jenkins Credentials

Before diving into the decryption or recovery process, let us first understand how Jenkins credentials work with a simple demonstration.

Step 1: Installing Credentials Plugin

  1. Ensure you have administrator privileges or relevant permissions.
  2. Go to Manage Jenkins > Plugins > Available plugins.
  3. Search for Credentials.
  4. Install the plugin.
Installing Credentials Plugin

Figure 1: Installing Credentials Plugin

Installation Progress

Figure 2: Download Progress

Step 2: Setting a Global Credential

After installation, you can configure a globally scoped credential.

  1. Go to Manage Jenkins > Credentials > Add Credentials.
  2. For this demonstration, choose Username and Password.
  3. Click the Create button.
Set Credential

Figure 3: Setting New Credentials

The encrypted password is stored in the $JENKINS_HOME/credentials.xml file.

Location of credentials.xml file

Figure 4: Location of credentials.xml file

Step 3: Decrypting Credentials

While you can use the Jenkins Script Console for decryption, using an external tool is often more efficient for bulk recovery or audits. We will use the jenkins-credentials-decryptor (a Golang-based tool).

The following files must be present:

  1. master.key - The primary encryption key used by Jenkins to protect stored secrets.
  2. hudson.util.Secret - Contains the encryption logic and secrets required to decrypt credentials.
  3. credentials.xml - Stores the encrypted Jenkins credentials.
Listing Files

Figure 5: Listing Files

Run the tool with the correct flags and paths:

./bin/jenkins-credentials-decryptor -m master.key -s hudson.util.Secret -c credentials.xml
Running tool

Figure 6: Running tool

The decryption process is successful however it is not portable, as it requires cloning tools and installing dependencies. This consumes both time and disk space.

To address this, Key Decryptor provides an Online Jenkins decryption tool.

Step 4: KeyDecryptor Online-based Decryption Tool

The process is quite simple:

  1. In the input text field, paste the contents of the credentials.xml file.
  2. In the Master Key field, paste the contents of the master.key file.
  3. Upload the hudson.util.Secret file.
  4. Click the Decrypt button.
Decrypting credentials on the KeyDecryptor.com site

Figure 8: Decrypting credentials on the KeyDecryptor.com site

In this way, Jenkins credentials can be decrypted using both the CLI and the web interface.