Plesk Encryption

Plesk, love it or hate it it’s the most popular control panel used on Windows servers. I’ve had the unfortunate experience of working with the panel since Plesk 8. Fortunately, it has been improved over the years and I’ve grown to like it. Over the course of it’s life Plesk (v10 to be exact) finally made the choice to not store passwords in clear text. This was one of the best choices they could have made for the sake of security. However, this has made it difficult for IT admins to quickly replicate an end user problem. So today I discuss how to bring that symmetrically encrypted password back to clear text!

If I haven’t lost you yet, here is the one-liner to get the password in the clear on a Windows OS:

"%plesk_dir%\admin\bin\php.exe" -r "echo plesk_symmetric_decrypt('ENCRYPTED_STRING_HERE');"

What does this do?

The Windows command line command above uses the Plesk environment variable along with the path to Plesk’s PHP to run (-r means without script tags) an echo command through PHP using Plesk’s own function (plesk_symmetric_decrypt) to get the password. In short, all you need to do is replace the text ‘ENCRYPTED_STRING_HERE’ with the password from Plesk’s database and the clear text will be sent to the command line output. WayCool hu?

Additional Information

There are a few things to note regarding this:

  1. The command must be executed from the same server which the encrypted string was found on.
  2. Only passwords with the type ‘sym’ (Symmetric-key) can be decrypted using this function.
  3. Passwords with the type ‘crypt’  cannot be reverse-engineered (as far as I’m aware). These passwords use PHP’s Crypt method explained here and will likely start with ‘$5$’ in Plesk’s database .

If you are unsure where in Plesk’s database the passwords are stored, try using  HeidiSQL (or Plesk’s dbclient.exe command) and browsing the sys_users and databaseservers tables which link back to the accounts table by account_id.

 

If have any thoughts on this, be WayCool and drop a comment below!

 

–Devin

Leave a Reply

Your email address will not be published. Required fields are marked *