* Home :: Get a random password :: Get a multi-word password :: What is my IP? (v4 | v6)
* My projects

Decrypt KVM VNC passwords from Cloudstack's DB

Tags: howto,cloudstack,vnc

Date: 20230121


If you ever wanted to open a KVM Cloudstack guest in say virt-manager you were prompted for a VNC password.

This password is kept in the Cloudstack DB in an encrypted string, so you can't just use it as is.

Here's how to decrypt it.

First get the encrypted vnc password out of the DB. For example:


MariaDB [cloud]> select vnc_password from cloud.vm_instance where instance_name="i-2-5-VM";
+----------------------------------------------+
| vnc_password                                 |
+----------------------------------------------+
| jwbbbihpS9HeAGcUs64okbuWzNSwPbr+1dPpt3FG8kw= |
+----------------------------------------------+
1 row in set (0.00 sec)
        


Then decrypt that string using the appropriate Cloudstack libraries.
Note we use a password here, you need to use your own "password", the one you used when you set up encryption of the Cloudstack DB (if any).

~]# java -classpath /usr/share/cloudstack-common/lib/jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI \
decrypt.sh input=jwbbbihpS9HeAGcUs64okbuWzNSwPbr+1dPpt3FG8kw= password=password verbose=true

----ENVIRONMENT-----------------

Runtime: Red Hat, Inc. OpenJDK 64-Bit Server VM 11.0.17+8-LTS 



----ARGUMENTS-------------------

input: jwbbbihpS9HeAGcUs64okbuWzNSwPbr+1dPpt3FG8kw=
password: password
verbose: true



----OUTPUT----------------------

HtITdLk8kvDQ0w7V9g-8LQ <=== here's our vnc password


        


If you want to turn this command line into a script it would look something like this:


#!/usr/bin/env bash

# this script expects the encrypted string as 1st argument, ie $1, so you can call the script as "./decvnc.sh string"

# let's find out the exact jasypt file, as filename changes with version in time
jasyptlib=$(find /usr/share/cloudstack-common/lib/ -name "jasypt*")

# then decode the string, note we use "$1" for "input"
java -classpath "$jasyptlib" org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI decrypt.sh input="$1" password=password verbose=false
        

(c)The Nux(tm) ;-)

No CSS, no Javascript, no some HTML.
No ads, no tracking, no cookies.


Optimised for Dillo browser, great in Lynx, too :)