Skip to content

Instantly share code, notes, and snippets.

@felipou
Last active September 1, 2024 15:21
Show Gist options
  • Save felipou/50b60309f99b70b1e28f6d22da5d8e61 to your computer and use it in GitHub Desktop.
Save felipou/50b60309f99b70b1e28f6d22da5d8e61 to your computer and use it in GitHub Desktop.
DBeaver password decryption script - for newer versions of DBeaver
# https://stackoverflow.com/questions/39928401/recover-db-password-stored-in-my-dbeaver-connection
# requires pycryptodome lib (pip install pycryptodome)
import sys
import base64
import os
import json
from Crypto.Cipher import AES
default_paths = [
'~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json',
'~/.local/share/DBeaverData/workspace6/General/.dbeaver/credentials-config.json',
'~/.local/share/.DBeaverData/workspace6/General/.dbeaver/credentials-config.json',
'~/AppData/Roaming/DBeaverData/workspace6/General/.dbeaver/credentials-config.json',
]
if len(sys.argv) < 2:
for path in default_paths:
filepath = os.path.expanduser(path)
try:
f = open(filepath, 'rb')
f.close()
break
except Exception as e:
pass
else:
filepath = sys.argv[1]
print(filepath)
#PASSWORD_DECRYPTION_KEY = bytes([-70, -69, 74, -97, 119, 74, -72, 83, -55, 108, 45, 101, 61, -2, 84, 74])
PASSWORD_DECRYPTION_KEY = bytes([186, 187, 74, 159, 119, 74, 184, 83, 201, 108, 45, 101, 61, 254, 84, 74])
data = open(filepath, 'rb').read()
decryptor = AES.new(PASSWORD_DECRYPTION_KEY, AES.MODE_CBC, data[:16])
padded_output = decryptor.decrypt(data[16:])
output = padded_output.rstrip(padded_output[-1:])
try:
print(json.dumps(json.loads(output), indent=4, sort_keys=True))
except:
print(output)
@felipou
Copy link
Author

felipou commented Sep 29, 2021

Any clue on how to do this the other way around? I have to connect to an RDS DB that needs the password to be updated every 15 minutes. I would like to have a python script that updates the credentials-config.json automatically.

I need the same, any updates on that?

Shouldn't be too hard. If you take a look at the credentials json file, you'll see that you need the connection ID to know which one to update. Knowing that, you can just revert the decryption process (replace decrypt with encrypt, properly append encryption key, take care of padding), replace the encrypted value in the json and overwrite the file.

@akdemy
Copy link

akdemy commented Oct 1, 2021

for Mac OS users

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "${HOME}/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

@brafaeloliveira
Copy link

for Mac OS users

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "${HOME}/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

Thanks! Works flawlessly in Windows + WSL2:
openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "/mnt/c/Users//AppData/Roaming/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

@felipou
Copy link
Author

felipou commented Oct 27, 2021

for Mac OS users

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "${HOME}/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

Nice, I always like to have an one-liner solution!

@noise-trader
Copy link

for Mac OS users

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "${HOME}/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

Brilliant! After wasting a few hours trying to figure it out, this just made my day! Thanks!

@Sarke
Copy link

Sarke commented Apr 1, 2022

for Mac OS users

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "${HOME}/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

Thanks! Works on Linux too.

You can also pipe it through jq to get pretty output by appending | jq

@davists
Copy link

davists commented May 1, 2022

Thanks a lot. That helped!

@callmetal
Copy link

callmetal commented Nov 29, 2022

The script worked great on windows 10.
I have DBeaver installed from the Windows Store, and my path is:
r'C:\Users\[username]\AppData\Local\Packages\DBeaverCorp.DBeaverCE_1b7tdvn0p0f9y\LocalCache\Roaming\DBeaverData\workspace6\General.dbeaver\credentials-config.json'

A few tips for others using windows 10:
If you don't have Python installed, you can open the command line as an Administrator and type:
Python
Click enter and it will open the Windows Store with the Python 3.10 page ready to download
If you need to install pycryptodome then go back to the command line and type:
pip install pycryptodome
Click enter

@J4YF7O
Copy link

J4YF7O commented Feb 21, 2023

Thank you very much,

I tested it, and both the python script and the openssl cmd work very well on mac.

I wonder if anyone has the openssl line to encrypt the file?

My flow would be to be able to generate connections from a script that would retrieve the data from AWS SSM.

@iRajjal
Copy link

iRajjal commented Feb 24, 2023

Thanks very much for the solution.

Is it possible to re-encrypt the modified json, for example I want to update the expired passwords automatically?

@thmsklngr
Copy link

Thank you so much, this script saved my day!

@BhuiyanMH
Copy link

Thanks, works for DBeaver 22.3.0 on the Windows platform.

@mixa42
Copy link

mixa42 commented May 15, 2023

thank you very much) the most necessary script that should be at hand

@joaovitor-correa
Copy link

Amazing, simple and very usefull!

@peisenmann
Copy link

for Mac OS users

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "${HOME}/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

This works almost perfectly for me. The one change I had to make was that my workspace was not named General. If you get ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json: No such file or directory, then do an ls ~/Library/DBeaverData/workspace6 to find your workspace folder, then replace General in the above command.

@athossampayo
Copy link

I had a lot of connections with same DBs and sometimes same usernames, so...
If anyone need a version that gets the configuration of each connection also, I did a fork:

https://gist.github.com/athossampayo/c028acbfe3b9d0aa0ff230d4c9e35c83

@mohamedamara1
Copy link

thanks, still works

@trashreactor
Copy link

for Mac OS users

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "${HOME}/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

Thanks! Works flawlessly in Windows + WSL2: openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "/mnt/c/Users//AppData/Roaming/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

This works like a charm!, just adding the username placeholder
openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "/mnt/c/Users/<username>/AppData/Roaming/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

@Fjmontesinospalma
Copy link

Works on mac sonoma 14.4.1 and dbeaver 24.0.2.2024, thanks

@ulidtko
Copy link

ulidtko commented Jun 19, 2024

Did not work for dbeaver 23.0.0 🫤

@vboerchers
Copy link

for Mac OS users

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "${HOME}/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

Thanks! Works flawlessly in Windows + WSL2: openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "/mnt/c/Users//AppData/Roaming/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

This works like a charm!, just adding the username placeholder openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "/mnt/c/Users/<username>/AppData/Roaming/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

Piping the result through jq . | less formats it nicely.

@bigga
Copy link

bigga commented Sep 1, 2024

The script saved my life. Thanks a lot!
Worked flawlessly with DBeaver 24.0.4.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment