138

I forgot the password of a dev instance (irresponsible.. yeah, I am working on it). I have the connection saved in my DBeaver with the password. I am still able to connect using that connection. DBeaver is not showing it in plain text. Is there anyway I can retrieve the password? Asking DBA to reset the password is the last resort. I tried to copy paste to a notepad, copying is disabled apparently.

Braiam
  • 1
  • 11
  • 47
  • 78
Git_gal
  • 1,399
  • 2
  • 9
  • 5
  • 2
    this work for me: https://bugdays.com/dbeaver-password-decrypter – Luciana Campello Apr 27 '21 at 13:53
  • This question is for a tool used often by programmers, it happens to also be used by other people LOL. SU might work too, but I think it's fine here since the answer is practically a programming one. – rogerdpack Mar 20 '23 at 16:54
  • @rogerdpack DBeaver may be used often by programmers, that does not make it a tool which is **primarily** used by programmers. It is also used by DBAs, or other people querying databases. – Mark Rotteveel Mar 31 '23 at 08:08

9 Answers9

234

For DBeaver 6.1.3+

The credential file is located ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json (I was on Mac) and it follows a different encryption strategy than it's predecessors. Please refer the next answer to see how to decrypt. It works like a charm.

Pre- DBeaver 6.1.3

Follow these steps (My DBeaver version was 3.5.8 and it was on Mac OsX El Capitan)

  1. Locate the file in which DBeaver stores the connection details. For me, it was in this location ~/.dbeaver/General/.dbeaver-data-sources.xml. This file is hidden, so keep that in mind when you look for it.
  2. Locate your interested Datasource Definition node in that file.
  3. Decrypt the password: Unfortunately, everything is in plain text except password; Password is in some kind of Encrypted form. Decrypt it to plain-text using this tool.

Or

I put together a quick and dirty Java program by copying core of DBeaver's method for decrypting the password. Once you have the Encrypted password string, just execute this program, it will convert the password to plain text and prints it

How to run it

On Line Number 13, just replace OwEKLE4jpQ== with whatever encrypted password you are finding in .dbeaver-data-sources.xml file for your interested datasource. Compile it and run it, it will print the plain-text password.

https://github.com/jaisonpjohn/dbeaver-password-retriever/blob/master/SimpleStringEncrypter.java

Apparently, this is a "Popular" mistake. So I have deployed an AWS lambda function with the aforementioned code. Use this at your own risk, you will never know whether I am logging your password or not

curl https://lmqm83ysii.execute-api.us-west-2.amazonaws.com/prod/dbeaver-password-decrypter \
-X POST --data "OwEKLE4jpQ=="

Even better, here is the UI https://bugdays.com/dbeaver-password-decrypter. This goes without saying, use this at your own risk

TylerH
  • 20,799
  • 66
  • 75
  • 101
so-random-dude
  • 15,277
  • 10
  • 68
  • 113
  • I'm trying to get this to work with the following steps, but it's not working. I edited the program to include the encrypted string from the file. I complied the program with `javac SimpleStringEncrypter.java`. Then trying to run it with `javac SimpleStringEncrypter` I receive the error `Could not find or load main class` – Oranges13 Dec 05 '17 at 16:39
  • @Oranges13 That's a weird issue and I think it has nothing to do with this program. I would suggest you to compile and run a helloworld program successfully, and then replace that program's content with the above given file and re-compile it and run it. – so-random-dude Dec 21 '17 at 14:44
  • I had to comment out the namespace in the file for it to work effectively. – Oranges13 Jan 05 '18 at 17:54
  • 1
    @Oranges13 namespace? you meant the package name? Thanks, I removed that from the code – so-random-dude Jan 05 '18 at 18:02
  • 16
    I created an equivalent python script using your code as reference: https://gist.github.com/felipou/f5472ad5f6a414528b44beb102e17fb4 It was faster than it would take me to install the java compiler :) – felipou Feb 25 '19 at 17:15
  • @felipou Nice, thanks for sharing If you dont want to run any program, just use this UI - http://dbeaver-password-decrypter.s3-website-us-west-2.amazonaws.com/ – so-random-dude Apr 01 '19 at 00:07
  • 2
    @felipou Your solution is great and you should post it as an answer. – NickZeng Apr 05 '19 at 15:47
  • 1
    MUST have link [http://dbeaver-password-decrypter.s3-website-us-west-2.amazonaws.com](http://dbeaver-password-decrypter.s3-website-us-west-2.amazonaws.com) – cystbear Jul 03 '19 at 13:52
  • 1
    I prefer @felipou version as it's run client-side, where so-random-dude is sending the password to a server out of my control. Thank you to both though. – Zach Aug 07 '19 at 19:57
  • 8
    Since version 6.1.3, this no longer works. The credentials are now stored encrypted in `.dbeaver/credentials-config.json` according to this: https://github.com/dbeaver/dbeaver/wiki/Admin-Manage-Connections. I'm assuming this is an encrypted json file (it's not plaintext json). – Tim Ludwinski Aug 19 '19 at 15:06
  • 1
    With version Version: 6.0.3.201904211926, the cred file is `~/.dbeaver4/General/.dbeaver-data-sources.xml` – Jason Kim Sep 10 '19 at 21:02
  • 1
    Here is a newer version, based on @rogerdpack answer https://gist.github.com/felipou/50b60309f99b70b1e28f6d22da5d8e61 – felipou Oct 03 '19 at 16:52
  • 1
    for win, the path is `C:\Users\\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver` – Fabio Formosa Nov 15 '19 at 10:49
  • @felipou I can confirm that [the gist you linked](https://gist.github.com/felipou/50b60309f99b70b1e28f6d22da5d8e61) works for the newer versions of DBeaver. (version 21.1.5, in my case) – Venryx Dec 05 '21 at 14:13
199

This can be done with OpenSSL:

openssl aes-128-cbc -d \
  -K babb4a9f774ab853c96c2d653dfe544a \
  -iv 00000000000000000000000000000000 \
  -in credentials-config.json | \
  dd bs=1 skip=16 2>/dev/null

Example for macOS in one line:

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "${HOME}/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

For Linux, change the above path to ~/.local/share/DBeaverData/workspace6/General/.dbeaver/credentials-config.json.

The key is from the source and is converted to hexadecimal. This can be done in Python:

>>> import struct
>>> struct.pack('<16b', -70, -69, 74, -97, 119, 74, -72, 83, -55, 108, 45, 101, 61, -2, 84, 74).hex()
'babb4a9f774ab853c96c2d653dfe544a'

Edit: I've published the script for this here.

Tatsh
  • 2,780
  • 1
  • 20
  • 23
  • 4
    Works with new 21+: In fact, tested with: Versión 21.0.3.202104181339 – Gonzalo Apr 27 '21 at 20:38
  • 2
    Works great with Windows version of dbeaver, I just ran it in WSL2. – Preston Jul 12 '21 at 18:14
  • Still works in version 22 (22.0.1.202203181646) installed from rpm package. – Jette Mar 23 '22 at 11:46
  • 1
    Working on DBeaver 21.3. Saved my life :D Thanks – raphaklaus May 26 '22 at 16:40
  • 21.0.0 windows I get "bad decrypt 9776:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:./crypto/evp/evp_enc.c:468:" Same in command prompt & wsl2 – pooroldpedro Jun 27 '22 at 07:02
  • If this tells you the file doesn't exist, or you don't see the credential you're looking for, back up to the `workspace6` directory and see if maybe you've defined another workspace. My credentials were all in another workspace folder, but when I fixed the path, it all worked like a charm on Version 22.1.3.202207240747 (installed via Homebrew Casks as dbeaver-community) – Patrick Oct 03 '22 at 13:22
  • Saved my day, huge thanks! Works on 23.1.0.202306041918 for MacOS (12.6.3) – vittorius Jun 12 '23 at 09:08
  • 1
    Now, decrypt key is stored at https://github.com/dbeaver/dbeaver/blob/8ed6d430a12ddc065a8bb69ec11babb152462f15/plugins/org.jkiss.dbeaver.registry/src/org/jkiss/dbeaver/registry/BaseProjectImpl.java#L77 – Julyano Felipe Jun 15 '23 at 18:20
71

For DBeaver 6.1.3+ the creds are stored in a "json" file now with different encryption.

This seemed to do the job for me:

import javax.crypto.*;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.*;

public class DecryptDbeaver {

  // from the DBeaver source 8/23/19 https://github.com/dbeaver/dbeaver/blob/57cec8ddfdbbf311261ebd0c7f957fdcd80a085f/plugins/org.jkiss.dbeaver.model/src/org/jkiss/dbeaver/model/impl/app/DefaultSecureStorage.java#L31
  private static final byte[] LOCAL_KEY_CACHE = new byte[] { -70, -69, 74, -97, 119, 74, -72, 83, -55, 108, 45, 101, 61, -2, 84, 74 };

  static String decrypt(byte[] contents) throws InvalidAlgorithmParameterException, InvalidKeyException, IOException, NoSuchPaddingException, NoSuchAlgorithmException {
    try (InputStream byteStream = new ByteArrayInputStream(contents)) {
      byte[] fileIv = new byte[16];
      byteStream.read(fileIv);
      Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
      SecretKey aes = new SecretKeySpec(LOCAL_KEY_CACHE, "AES");
      cipher.init(Cipher.DECRYPT_MODE, aes, new IvParameterSpec(fileIv));
      try (CipherInputStream cipherIn = new CipherInputStream(byteStream, cipher)) {
        return inputStreamToString(cipherIn);
      }
    }
  }

  static String inputStreamToString(java.io.InputStream is) {
    java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
    return s.hasNext() ? s.next() : "";
  }

  public static void main(String[] args) throws Exception {
    if (args.length != 1) {
      System.err.println("syntax: param1: full path to your credentials-config.json file");
      System.exit(1);
    }
    System.out.println(decrypt(Files.readAllBytes(Paths.get(args[0]))));
  }

}

Pass it the path of your credentials-config.json file on local filesystem, for me it was

 Compile it
 $ javac DecryptDbeaver.java
 Now run it [adjusts the paths to target your credentials-config.json file]
 $ java DecryptDbeaver ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json
 Or if java 11+:
 $ java DecryptDbeaver.java ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json

It will output to the console the user+pass for connections.

{"postgres-jdbc-some-id":{"#connection":{"user":"your_user_name","password":"your_password"...

If you don't recognize which password goes to which DB based on username, you must cross link the id names it also outputs initially to the sibling data-sources.json file (which should already be present and unencrypted and contains database coordinates).

rogerdpack
  • 62,887
  • 36
  • 269
  • 388
  • 8
    As before, here is the Python (3) version: https://gist.github.com/felipou/50b60309f99b70b1e28f6d22da5d8e61 – felipou Oct 03 '19 at 16:51
  • 5
    A note for Linux Users, the file is found in /General/.dbeaver/credentials-config.json The Workspace directory can be found the preferences -> General -> Workspace. So for me it was: ~/.local/share/DBeaverData/workspace6/General/.dbeaver/credentials-config.json – Aaron Chamberlain Oct 18 '20 at 03:53
  • 2
    In one CLI, java can run java files now: `java DecryptDbeaver.java ~/.local/share/DBeaverData/workspace6/General/.dbeaver/credentials-config.json ` – pdem Jun 20 '22 at 09:16
  • Does anyone have a solution to re-encode the json please? The goal is to set-up the credentials via a script that fetches them from an external source. – J4Y-M Mar 17 '23 at 12:06
  • On Windows the path is: `C:\Users\{username}\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver\credentials-config.json` – Jasper Citi Aug 15 '23 at 08:30
  • @J4Y-M maybe could use openssl like in the other answers, but in reverse? :) – rogerdpack Aug 17 '23 at 04:45
62

For Windows users (Tested Version 7.3.4, also tested 22.2.3)

Press File > Export > DBeaver > Project

Change the name of the export file to .zip, and unzip

Download OpenSSL, and copy \projects\General\.dbeaver\credentials-config.json into the same folder as the bin directory of openssl

Then run:

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "credentials-config.json"

If you have WSL installed, this command can also be run from a Linux install with openssl available (which openssl) from any directory within the Linux install (Tested with Ubuntu on WSL2 copied file to \\wsl$\Ubuntu\home\me\dbeaver\credentials).

It will output to the terminal as default, if you need it in a file add > chosen_filename.json to the command.

DazBaldwin
  • 4,125
  • 3
  • 39
  • 43
Fiach Reid
  • 6,149
  • 2
  • 30
  • 34
9

This is the command to get the decrypted version of dbeaver credentials file on your desired destination path:

openssl aes-128-cbc -d \
-K babb4a9f774ab853c96c2d653dfe544a \
-iv 00000000000000000000000000000000 \
-in {path for the encrypted credentials file} > \
{your desired destination file}
  • {your desired destination file} e.g. ~/Desktop/dbeaver-credentials.json

You'll find dbeaver-credentials.json file on Desktop. But this file will have list of only usernames & passwords with some connection stanza (like mysql5-17be86ca5ea-294e2a427af47fc4). No db or server names will be there. You've to find the connection against the object id.

For Ubuntu snap package dbeaver-ce,

  • {path for the encrypted credentials file} = ~/snap/dbeaver-ce/current/.local/share/DBeaverData/workspace6/General/.dbeaver/credentials-config.json
TalESid
  • 2,304
  • 1
  • 20
  • 41
8

For Linux OS users, run this in Terminal:

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "path_to/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

Just replace the string "path_to/credentials-config.json" with your actual path to that file and you'll get something like this:

{"mysql8-17e009389a8-5fc414bd64e183f4":{"#connection":{"user":"root","password":"root"}},"mysql8-18099236fdf-3c3fc761c6fdde":{"#connection":{"user":"user.name","password":"your_secret_password"},"network/ssh_tunnel":{"user":"sql","jumpServer0.password":""}}}%
lewis4u
  • 14,256
  • 18
  • 107
  • 148
4

if there is package declaration just compile javac -d . SimpleStringEncrypter.java it will put it in the correct directory structure under the current directory Then you can give java -cp . packagename.SimpleStringEncrypter and it will run. Basic java.

Anyway this program is fantastic and saved a lot of time for me.

kedar
  • 41
  • 2
2

Look at this:

docker run -d -p 18080:8080 --name crack-dbeaver-password-18080 geekyouth/crack-dbeaver-password

https://github.com/geekyouth/crack-dbeaver-password

General Grievance
  • 4,555
  • 31
  • 31
  • 45
geekyouth
  • 121
  • 8
-5

If you dont want all the saved connections

Just remove the --\DBeaverData\workspace6\General folder from the file system so that it can not ask any password again. and the workspace data will be lost.

You will loose all the custom settings and preferences.

Madhu Uppu
  • 1