Avatar
Holeybit By Jonas Tahardi

Show Decrypted Splunk Password

Splunk will encrypt certain values automatically during boot sequence. Sometimes, we need to verify that the values are what we are expecting. Here’s how to show the decrypt the value.

One of the typical issues related to encrypted password is when we back-up the settings (and apps) and restore on another instance (or a fresh install) of Splunk. This other Splunk instance will have a different encryption key, so it wouldn’t be able to decrypt the passwords correctly. The procedure would be to identify the encrypted passwords in the configuration files in the local directory, replace with un-encrypted password, and let Splunk encrypt the password on the other instance.

Here’s how to show the decrypted value:

$ splunk show-decrypted --value 'someencryptedvalue'

Nuance

Here’s an example:

$ cat /opt/splunk/etc/system/local/server.conf
[general]
serverName = sibcentos1
pass4SymmKey = $7$Ix7PnsHuolpCa4UJ/FqTc8cv6/dRdifwk5EPnu+ZUIzdt873+D2PPg==


[sslConfig]
sslPassword = $7$sBRWi3tvfkgkpZxz+5atsuxM2IafZQaDzKyCJ+qhbexNGI+O2YWzEA==


$ splunk show-decrypted --value '$7$Ix7PnsHuolpCa4UJ/FqTc8cv6/dRdifwk5EPnu+ZUIzdt873+D2PPg=='
changeme


$ splunk show-decrypted --value '$7$sBRWi3tvfkgkpZxz+5atsuxM2IafZQaDzKyCJ+qhbexNGI+O2YWzEA=='
password

Note: The single quote (') around the password is important on the terminal, since otherwise it will be treated as regular string and the shell will try to perform parameter expansion due to the ‘$’ character.

$ splunk show-decrypted --value $7$sBRWi3tvfkgkpZxz+5atsuxM2IafZQaDzKyCJ+qhbexNGI+O2YWzEA==
+5atsuxM2IafZQaDzKyCJ+qhbexNGI+O2YWzEA==


$ splunk show-decrypted --value "$7$sBRWi3tvfkgkpZxz+5atsuxM2IafZQaDzKyCJ+qhbexNGI+O2YWzEA=="
+5atsuxM2IafZQaDzKyCJ+qhbexNGI+O2YWzEA==

Note 2: Just because the encrypted values look different, doesn’t mean the password is different!! (Compared to the same password above)

$ splunk show-encrypted --value 'password'
$7$DKUsZfsX/OLDWT579iIYwZcpTMppuEuk0cq1jEfrDbYZUOhFJoQevQ==


$ splunk show-decrypted --value '$7$DKUsZfsX/OLDWT579iIYwZcpTMppuEuk0cq1jEfrDbYZUOhFJoQevQ=='
password