* Home :: Get a random password :: Get a multi-word password :: What is my IP? (v4 | v6)
* My projects

Decrypt KVM VNC passwords from Cloudstack's DB

Tags: howto,cloudstack,vnc

Date: 20230121

If you ever wanted to open a KVM Cloudstack guest in say virt-manager you were prompted for a VNC password.

This password is kept in the Cloudstack DB in an encrypted string, so you can't just use it as is.

Here's how to decrypt it.

First get the encrypted vnc password out of the DB. For example:

MariaDB [cloud]> select vnc_password from cloud.vm_instance where instance_name="i-2-5-VM";
| vnc_password                                 |
| jwbbbihpS9HeAGcUs64okbuWzNSwPbr+1dPpt3FG8kw= |
1 row in set (0.00 sec)

Then decrypt that string using the appropriate Cloudstack libraries.
Note we use a password here, you need to use your own "password", the one you used when you set up encryption of the Cloudstack DB (if any).

~]# java -classpath /usr/share/cloudstack-common/lib/jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI \
decrypt.sh input=jwbbbihpS9HeAGcUs64okbuWzNSwPbr+1dPpt3FG8kw= password=password verbose=true


Runtime: Red Hat, Inc. OpenJDK 64-Bit Server VM 11.0.17+8-LTS 


input: jwbbbihpS9HeAGcUs64okbuWzNSwPbr+1dPpt3FG8kw=
password: password
verbose: true


HtITdLk8kvDQ0w7V9g-8LQ <=== here's our vnc password


If you want to turn this command line into a script it would look something like this:

#!/usr/bin/env bash

# this script expects the encrypted string as 1st argument, ie $1, so you can call the script as "./decvnc.sh string"

# let's find out the exact jasypt file, as filename changes with version in time
jasyptlib=$(find /usr/share/cloudstack-common/lib/ -name "jasypt*")

# then decode the string, note we use "$1" for "input"
java -classpath "$jasyptlib" org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI decrypt.sh input="$1" password=password verbose=false

(c)The Nux(tm) ;-)

No CSS, no Javascript, no some HTML.
No ads, no tracking, no cookies.