You are too late - this one was solved already four month ago 😉

But thank you for pointing this out - for some reason I thought, that putting single quotes around the password (see above) belongs to the syntax of the "--decrypt"-command. But of course - it's just the shell escape.

Ya, I know. I by chance saw this so would like to share the information and anyone who encounter this later can leverage this. I actually used a python script at very beginning to do it. call splunk.entity to create a new password entry, get the clear text password and then delete that entry 🙂

Hi,

Current splunk version is 7.0.0, I am trying to decrypt password with copying the pass4symkey in passwords.conf file but after running http(s)://server:mgmt_port/services/storage/passwords and look for clear_password 

but clear_password is blank.

Hi scheng,

I tired below on Splunk Enterprise version 7.2.5 not working.
./splunk show-decrypted --value < pass4SymmKey >

But other method copying pass4SymmKey to passwords.conf is working.

When I try the pre-7.x recovery method on version 6.5.x, step 3 does work but step 4 does not: I get a response of
The path '/en-US/services/storage/password' was not found.
Note that the '/en-US' was added automatically by Splunk, not me.

The alternate version of '/servicesNS/-/-/storage/passwords' gives a similar error. '| rest' does not work either when run on the Splunk index head.

I'm trying to recover the password using a non-critical server; I'd rather not have to use the index head.

you have to run the REST API with the passwords.conf on the same Splunk instance which you're trying to decrypt the pass4SymmKey since the splunk.secret key file used for encryption is different on each Splunk instance. It's autogenerated during splunk installation.

You can test the procedure on a dev instance first with same procedure before doing so in production.

First and foremost, thank you for your update.

I tried the REST API on the same Splunk instance I had passwords.conf installed, and I got no response at all.

In addition, the URL
http(s)://server:mgmt_port/services/storage/passwords
on my installation immediately add an en-US and does not display anything.

I will try some variations on this; I have a suspicion that I may need to run this on the licensing master.

If I figure this out I'll post my comments here.

After putting this aside for a while -- some urgent projects -- I have tried again today, and it still does not work for me.

I've tried this several times -- on the same server that has the passwords I want to decipher -- and I still can't get it to work. Password refresh does work, that is, debug/refresh gives me a results page, and I do see:

Refreshing admin/passwords OK
on the page that comes up.

When I try "services/storage/passwords" I get the same error as before: an added "/en-US" in the path and a 404. When I try to use the rest API via search, I get no errors but no results.

I find that no /services APIs work. E.g., /services/server/health_report and similar innocuous REST API attempts, both via HTTP and via "|rest", all fail. /server/info fails. /search/apps/local does work via '| rest.'

I am now trying to figure out why /server and /services both fail. I wonder if it's related to a privilege issue, but I'm logging in as admin.

Just to cut this out: which port are you using as management port?

My management port is 9997; I'm running Splunk 6.2.1 that was installed as part of an Aspect install of Prophecy.

After a great deal of additional attempts, I now find that the REST API works:
| rest /services/storage
gives the result

author  id  published   splunk_server   title   updated
system  https://127.0.0.1/services/storage/collections      <deleted>   collections     2019-12-03T15:34:19+00:00
system  https://127.0.0.1/services/storage/passwords        <deleted>   passwords   2019-12-03T15:34:19+00:00 

but asking for the passwords via "| rest /services/storage/passwords" fails, and I wonder if it 's related to lack of HTTPS access.

9997 - in a default installation - is the port you use for incoming data, e.g. from your Universal Forwarders. The management port - in a default installation - which you use to access the REST API using your browser is 8089. Using that no "en-US" will be added to your URL.

Thanks! You are entirely correct! I had the wrong port.

My particular setup used port 9997 for the GUI, and looking around further I found the value of mgmtHostPort in my local/web.conf. Using that value, I can get the REST API to work from a console.

I do get XML responses about passwords, but no passwords. I used, e.g., /servicesNS/-/-/storage/passwords/. I also tried to access /servicesNS/-/-/storage/passwords/general and /servicesNS/-/-/storage/passwords/:general:, but got a "could not find" response.

At this point, however, I have to put this aside since I have the answer I was seeking by using the script I reference above.

I suspect that part of the problem following the original recipe may be that I am running 6.3.2; the file passwords.conf was only created in 6.5.2 and above.

Thanks again, rvany and scheng both, for your invaluable help solving this puzzle.

Glad you have a solution. Some points to consider:

• you really should think about using the default ports, especially don't use 9997 - which is normally used for ingesting data - as the web gui port (which normally is 8000) - it makes things unnecessary confusing while reading docs or ask questions e.g. at answers.splunk.com 😉
• as v8.0.1 is out all versions 6.x are at the end of life; so it seems to be the right time to upgrade your installation to something more current, e.g. 7.3.3; have a look here for details

I admit you are completely correct.

Unfortunately, my Splunk installation is tightly bundled with a different application, and I don't (at present) have the time to untangle the two. In fact, as much as I'd like to upgrade to 8.x, I'm don't believe that I can... if I can figure out how to to download the latest Splunk and find time for a test installation, perhaps I can try to get it licensed -- the licenses come through the vendor of the other app -- and see if I can persuade them to work together.

Thanks again for the help and advice.

And now I have HTTPS running, and it makes no difference. I also added list_storage_passwords to authorize.conf -- it was not there before -- but regardless I cannot access the passwords from either search or over the net.

I have a strong suspicion that it's been disabled somehow.

This tool works perfectly: https://pypi.org/project/splunksecrets/

You have to put single quotes around the key - and in one attempt I had to remove the trailing equal-signs.

BTW - there's also a splunk show-encrypted --value 'topsecret' - which creates strings starting with "$7$" - but I have no idea how/where to use it.