Keywords: DBeaver | Password Recovery | AES Encryption | Database Security | OpenSSL
Abstract: This paper comprehensively examines the encryption mechanisms and recovery methods for connection passwords in DBeaver database management tool. Addressing scenarios where developers forget database passwords but DBeaver maintains active connections, it systematically analyzes password storage locations and encryption methods across different versions (pre- and post-6.1.3). The article details technical solutions for decrypting passwords through credentials-config.json or .dbeaver-data-sources.xml files, covering JavaScript decryption tools, OpenSSL command-line operations, Java program implementations, and cross-platform (macOS, Linux, Windows) guidelines. It emphasizes security risks and best practices, providing complete technical reference for database administrators and developers.
In database development and operations, DBeaver serves as a widely-used open-source database management tool where connection configuration security is paramount. However, when developers forget database instance passwords while DBeaver maintains valid connections, recovering passwords from local storage becomes a practical technical challenge. Based on community Q&A data, this paper systematically analyzes DBeaver's password encryption mechanisms and provides multiple recovery solutions.
Evolution of DBeaver Password Storage Architecture
DBeaver's password storage methods have evolved with version updates, primarily divided into two phases. For version 6.1.3 and above, password information is stored in the credentials-config.json file, protected by AES encryption algorithm. On macOS systems, this file is typically located at ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json; on Linux systems, the path is ~/.local/share/DBeaverData/workspace6/General/.dbeaver/credentials-config.json. For versions before 6.1.3, passwords are stored in the .dbeaver-data-sources.xml file, which uses XML format with password fields similarly encrypted.
Encryption Mechanism and Key Analysis
DBeaver employs AES-128-CBC encryption algorithm to protect password data, with the encryption key hardcoded in source code. By analyzing DBeaver's DefaultSecureStorage.java source file, the key byte array can be obtained: [-70, -69, 74, -97, 119, 74, -72, 83, -55, 108, 45, 101, 61, -2, 84, 74]. This key can be converted to hexadecimal format using Python: babb4a9f774ab853c96c2d653dfe544a, with the initialization vector (IV) typically being 16 bytes of zeros. This design allows password decryption to be performed locally without network transmission, but also introduces potential security risks.
Password Recovery Technical Solutions
Multiple password recovery solutions exist for different technical preferences and operating system environments. For general users, the most convenient method is using online decryption tools, such as the JavaScript decryption page provided by bugdays.com. This tool runs entirely client-side, requiring users to only upload the credentials-config.json file to obtain decrypted password information. However, using third-party tools carries password leakage risks and requires careful evaluation.
For scenarios with higher security requirements, using OpenSSL command-line tool for local decryption is recommended. On macOS or Linux systems, execute the following command:
openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "credentials-config.json" | dd bs=1 skip=16 2>/dev/nullThis command directly uses DBeaver's hardcoded key to decrypt the file, skipping the first 16 bytes of IV data, and outputs plaintext passwords. Windows users can perform the same operation by installing OpenSSL or using WSL (Windows Subsystem for Linux).
Programming Implementation Deep Analysis
For developers needing integration into automated workflows or wishing to deeply understand the decryption process, password recovery can be implemented through programming. The following Java example completely reproduces DBeaver's decryption logic:
import javax.crypto.*;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.*;
public class DecryptDbeaver {
private static final byte[] LOCAL_KEY_CACHE = new byte[] { -70, -69, 74, -97, 119, 74, -72, 83, -55, 108, 45, 101, 61, -2, 84, 74 };
static String decrypt(byte[] contents) throws InvalidAlgorithmParameterException, InvalidKeyException, IOException, NoSuchPaddingException, NoSuchAlgorithmException {
try (InputStream byteStream = new ByteArrayInputStream(contents)) {
byte[] fileIv = new byte[16];
byteStream.read(fileIv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
SecretKey aes = new SecretKeySpec(LOCAL_KEY_CACHE, "AES");
cipher.init(Cipher.DECRYPT_MODE, aes, new IvParameterSpec(fileIv));
try (CipherInputStream cipherIn = new CipherInputStream(byteStream, cipher)) {
java.util.Scanner s = new java.util.Scanner(cipherIn).useDelimiter("\\A");
return s.hasNext() ? s.next() : "";
}
}
}
public static void main(String[] args) throws Exception {
if (args.length != 1) {
System.err.println("Parameter error: Please provide credentials-config.json file path");
System.exit(1);
}
System.out.println(decrypt(Files.readAllBytes(Paths.get(args[0]))));
}
}This program reads the encrypted file, extracts the first 16 bytes as IV, performs AES decryption using the hardcoded key, and finally outputs a JSON string containing usernames and passwords. After compilation and execution, database connection information can be associated through the data-sources.json file.
Cross-Platform Operation Guidelines
Operation paths vary across different operating systems. On Windows systems, besides using OpenSSL, encrypted files can be obtained through DBeaver's export function: select "File > Export > DBeaver > Project", rename the exported file to .zip format and extract it, then find the credentials-config.json file in the \projects\General\.dbeaver\ directory. Subsequently use OpenSSL for decryption, or copy it to WSL environment for processing.
Security Risks and Best Practices
Although the above methods can effectively recover passwords, relevant security risks must be noted. Using online tools may expose sensitive information; while local decryption is relatively safer, it still requires ensuring the operating environment is free from malware. It is recommended to immediately change database passwords after recovery and consider using password managers or enterprise-grade key management services. For team environments, standardized password management processes should be established to avoid relying on tools to automatically save passwords.
From a technical perspective, DBeaver's encryption design has room for improvement. Hardcoded keys, while convenient for local decryption, reduce overall security. Future versions could consider introducing user-defined keys or integration with operating system keychains to enhance password protection strength. When using such tools, developers should fully understand their security mechanisms and formulate corresponding risk response strategies.