I forgot the password of a dev instance (irresponsible.. yeah, I am working on it). I have the connection saved in my DBeaver with the password. I am still able to connect using that connection. DBeaver is not showing it in plain text. Is there anyway I can retrieve the password? Asking DBA to reset the password is the last resort. I tried to copy paste to a notepad, copying is disabled apparently.
9 Answers
This can be done with OpenSSL:
openssl aes-128-cbc -d \
-K babb4a9f774ab853c96c2d653dfe544a \
-iv 00000000000000000000000000000000 \
-in credentials-config.json | \
dd bs=1 skip=16 2>/dev/null
Example for macOS in one line:
openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "${HOME}/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null
For Linux, change the above path to ~/.local/share/DBeaverData/workspace6/General/.dbeaver/credentials-config.json.
The key is from the source and is converted to hexadecimal. This can be done in Python:
>>> import struct
>>> struct.pack('<16b', -70, -69, 74, -97, 119, 74, -72, 83, -55, 108, 45, 101, 61, -2, 84, 74).hex()
'babb4a9f774ab853c96c2d653dfe544a'
Edit: I've published the script for this here.
15 Comments
Gonzalo
Works with new 21+: In fact, tested with: Versión 21.0.3.202104181339
Preston
Works great with Windows version of dbeaver, I just ran it in WSL2.
Julyano Felipe
Now, decrypt key is stored at github.com/dbeaver/dbeaver/blob/…
Leonardo Maffei
This should be the accepted answer. Faster and safer.
Mike
This is the right answer, I appreciate the thing the other guy did, but I'm a bit apprehensive about sending my creds to a random website.
|
For newer DBeaver ( 6.1.3+ )
The credential file is located ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json (I was on Mac). I put together a javascript function here https://www.bugdays.com/dbeaver-password-decrypter to decrypt it. Go there and select credentials-config.json file, bugdays will decrypt it and display it. Its purely within client side, there is no server uploading (However its a risky practice)
Pre- DBeaver 6.1.3
Follow these steps (My DBeaver version was 3.5.8 and it was on Mac OsX El Capitan)
- Locate the file in which DBeaver stores the connection details. For me, it was in this location
~/.dbeaver/General/.dbeaver-data-sources.xml. This file is hidden, so keep that in mind when you look for it. - Locate your interested Datasource Definition node in that file.
- Decrypt the password: Unfortunately, everything is in plain text except password; Password is in some kind of Encrypted form. Decrypt it to plain-text using this tool.
Original Answer
I put together a quick and dirty Java program by copying core of DBeaver's method for decrypting the password. Once you have the Encrypted password string, just execute this program, it will convert the password to plain text and prints it
How to run it
On Line Number 13, just replace OwEKLE4jpQ== with whatever encrypted password you are finding in .dbeaver-data-sources.xml file for your interested datasource. Compile it and run it, it will print the plain-text password.
https://github.com/jaisonpjohn/dbeaver-password-retriever/blob/master/SimpleStringEncrypter.java
Apparently, this is a "Popular" mistake. So I have deployed an AWS lambda function with the aforementioned code. Use this at your own risk, you will never know whether I am logging your password or not
curl https://lmqm83ysii.execute-api.us-west-2.amazonaws.com/prod/dbeaver-password-decrypter \
-X POST --data "OwEKLE4jpQ=="
Even better, here is the UI: https://bugdays.com/dbeaver-password-decrypter. This goes without saying, use this at your own risk
15 Comments
so-random-dude
@Oranges13 namespace? you meant the package name? Thanks, I removed that from the code
felipou
I created an equivalent python script using your code as reference: gist.github.com/felipou/f5472ad5f6a414528b44beb102e17fb4 It was faster than it would take me to install the java compiler :)
Zach
I prefer @felipou version as it's run client-side, where so-random-dude is sending the password to a server out of my control. Thank you to both though.
Tim Ludwinski
Since version 6.1.3, this no longer works. The credentials are now stored encrypted in
.dbeaver/credentials-config.json according to this: github.com/dbeaver/dbeaver/wiki/Admin-Manage-Connections. I'm assuming this is an encrypted json file (it's not plaintext json).felipou
Here is a newer version, based on @rogerdpack answer gist.github.com/felipou/50b60309f99b70b1e28f6d22da5d8e61
|
For DBeaver 6.1.3+ the creds are stored in a "json" file now with different encryption.
This seemed to do the job for me:
import javax.crypto.*;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.*;
public class DecryptDbeaver {
// from the DBeaver source 8/23/19 https://github.com/dbeaver/dbeaver/blob/57cec8ddfdbbf311261ebd0c7f957fdcd80a085f/plugins/org.jkiss.dbeaver.model/src/org/jkiss/dbeaver/model/impl/app/DefaultSecureStorage.java#L31
private static final byte[] LOCAL_KEY_CACHE = new byte[] { -70, -69, 74, -97, 119, 74, -72, 83, -55, 108, 45, 101, 61, -2, 84, 74 };
static String decrypt(byte[] contents) throws InvalidAlgorithmParameterException, InvalidKeyException, IOException, NoSuchPaddingException, NoSuchAlgorithmException {
try (InputStream byteStream = new ByteArrayInputStream(contents)) {
byte[] fileIv = new byte[16];
byteStream.read(fileIv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
SecretKey aes = new SecretKeySpec(LOCAL_KEY_CACHE, "AES");
cipher.init(Cipher.DECRYPT_MODE, aes, new IvParameterSpec(fileIv));
try (CipherInputStream cipherIn = new CipherInputStream(byteStream, cipher)) {
return inputStreamToString(cipherIn);
}
}
}
static String inputStreamToString(java.io.InputStream is) {
java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
return s.hasNext() ? s.next() : "";
}
public static void main(String[] args) throws Exception {
if (args.length != 1) {
System.err.println("syntax: param1: full path to your credentials-config.json file");
System.exit(1);
}
System.out.println(decrypt(Files.readAllBytes(Paths.get(args[0]))));
}
}
Pass it the path of your credentials-config.json file on local filesystem, for me it was
Compile it
$ javac DecryptDbeaver.java
Now run it [adjusts the paths to target your credentials-config.json file]
$ java DecryptDbeaver ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json
Or if java 11+:
$ java DecryptDbeaver.java ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json
It will output to the console the user+pass for connections.
{"postgres-jdbc-some-id":{"#connection":{"user":"your_user_name","password":"your_password"...
If you don't recognize which password goes to which DB based on username, you must cross link the id names it also outputs initially to the sibling data-sources.json file (which should already be present and unencrypted and contains database coordinates).
6 Comments
felipou
As before, here is the Python (3) version: gist.github.com/felipou/50b60309f99b70b1e28f6d22da5d8e61
Aaron Chamberlain
A note for Linux Users, the file is found in <workspace>/General/.dbeaver/credentials-config.json The Workspace directory can be found the preferences -> General -> Workspace. So for me it was: ~/.local/share/DBeaverData/workspace6/General/.dbeaver/credentials-config.json
pdem
In one CLI, java can run java files now:
java DecryptDbeaver.java ~/.local/share/DBeaverData/workspace6/General/.dbeaver/credentials-config.json 
Jeremy-F
Does anyone have a solution to re-encode the json please? The goal is to set-up the credentials via a script that fetches them from an external source.
Jasper Citi
On Windows the path is:
C:\Users\{username}\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver\credentials-config.json |
For Windows users (Tested Version 7.3.4, also tested 22.2.3)
Press File > Export > DBeaver > Project
Change the name of the export file to .zip, and unzip
Download OpenSSL, and copy \projects\General\.dbeaver\credentials-config.json into the same folder as the bin directory of openssl
Then run:
openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "credentials-config.json"
If you have WSL installed, this command can also be run from a Linux install with openssl available (which openssl) from any directory within the Linux install (Tested with Ubuntu on WSL2 copied file to \\wsl$\Ubuntu\home\me\dbeaver\credentials).
It will output to the terminal as default, if you need it in a file add > chosen_filename.json to the command.
8 Comments
Lore
happens nothing. Where I can find the result
TalESid
Working for Ubuntu as well
petrosmm
confirmed working!
leon22
The Export is not needed, just decrypt from the "credentials-config.json" file (you can find it here: %appdata%\DBeaverData\workspace6\General\.dbeaver).
scrollout
Worked using Git Bash's OpenSSL installation.
|
For Linux OS users, run this in Terminal:
openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "path_to/credentials-config.json" | dd bs=1 skip=16 2>/dev/null
Just replace the string "path_to/credentials-config.json" with your actual path to that file and you'll get something like this:
{"mysql8-17e009389a8-5fc414bd64e183f4":{"#connection":{"user":"root","password":"root"}},"mysql8-18099236fdf-3c3fc761c6fdde":{"#connection":{"user":"user.name","password":"your_secret_password"},"network/ssh_tunnel":{"user":"sql","jumpServer0.password":""}}}%
Comments
This is the command to get the decrypted version of dbeaver credentials file on your desired destination path:
openssl aes-128-cbc -d \
-K babb4a9f774ab853c96c2d653dfe544a \
-iv 00000000000000000000000000000000 \
-in {path for the encrypted credentials file} > \
{your desired destination file}
- {your desired destination file} e.g.
~/Desktop/dbeaver-credentials.json
You'll find dbeaver-credentials.json file on Desktop. But this file will have list of only usernames & passwords with some connection stanza (like mysql5-17be86ca5ea-294e2a427af47fc4). No db or server names will be there. You've to find the connection against the object id.
For Ubuntu snap package dbeaver-ce,
- {path for the encrypted credentials file} =
~/snap/dbeaver-ce/current/.local/share/DBeaverData/workspace6/General/.dbeaver/credentials-config.json
Comments
if there is package declaration just compile javac -d . SimpleStringEncrypter.java it will put it in the correct directory structure under the current directory Then you can give java -cp . packagename.SimpleStringEncrypter and it will run. Basic java.
Anyway this program is fantastic and saved a lot of time for me.
Comments
Look at this:
docker run -d -p 18080:8080 --name crack-dbeaver-password-18080 geekyouth/crack-dbeaver-password
Comments
If you dont want all the saved connections
Just remove the --\DBeaverData\workspace6\General folder from the file system so that it can not ask any password again. and the workspace data will be lost.
You will loose all the custom settings and preferences.
1 Comment
dankilev
although it could be useful, this is unrelated to the original question
openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "%AppData%\DBeaverData\workspace6\General\.dbeaver\credentials-config.json". You can download openssl on windows here - wiki.openssl.org/index.php/Binariesopenssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json