- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunkers,
I am used to use the following command to decrypt $7 Splunk configuration password such as pass4SymmKey or sslConfig.
splunk show-decrypted --value '<encrypted_value>'
I have several questions regarding this command :
1/ Do you ever find any official documentation about it ? I was looking here but not result : https://docs.splunk.com/Documentation/Splunk/9.1.0/Admin/CLIadmincommands
2/ Is it possible to use this command for $6 encrypted (hased ?) string, like the one stored for admin password stored in $SPLUNK_HOME/etc/passwd. I suppose it's not possible since it's a password and it should not be "reversible" for security reason.
3/ This question is related to the previous one. Is it right to say that $7 value has been encrypted since it's possible to revert it and $6 has been hashed because it's impossible to get the clear value back ?
Thanks for your help !
GaetanVP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all and @gcusello,
Just for information I contacted Splunk support for that, here are some information :
1/ Indeed there are no official documentation about that command, apparently for security reason... Let's say it is security through obscurity (and I am not a fan of that concept).
2/ As assumed, it is impossible to revert a $6 value since it has been hashed by a SHA-512 algorithm *just like UNIX based /etc/shadow file). But you can revert $7 value if you have the correct splunk.secret value.
3/ Yes
Thanks,
GaetanVP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Hi
it's really weird that this and couple of other are not documented here. Maybe it's good to ask that from doc team? If I recall right those has "published" 7.3 (or 7.2 version)?
At least these are there also without mention on that doc pages:
- splunk show-encrypted --value 'changeme'
- splunk hash-passwd changeme
- splunk gen-random-passwd
- splunk gen-cc-splunk-secret (see: https://docs.splunk.com/Documentation/Splunk/9.1.0/CommonCriteria/Commoncriteriainstallationandconfi...)
Probably there are some other undocumented commands too.
Some of those are used e.g. splunk-ansible scripts and there are other documentation on net by someone else than Splunk.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all and @gcusello,
Just for information I contacted Splunk support for that, here are some information :
1/ Indeed there are no official documentation about that command, apparently for security reason... Let's say it is security through obscurity (and I am not a fan of that concept).
2/ As assumed, it is impossible to revert a $6 value since it has been hashed by a SHA-512 algorithm *just like UNIX based /etc/shadow file). But you can revert $7 value if you have the correct splunk.secret value.
3/ Yes
Thanks,
GaetanVP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi @GaetanVP ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi @GaetanVP,
good for you, see next time!
let us know if we can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Hi @GaetanVP ,
I'm Vatsal from the Community Moderator team. As I can see you answered your own question. In such scenario if you accept your own answer it will be very useful for future visitors here.
Happy Splunking!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi @GaetanVP,
sincerely, it's the first time I see this command!
Anyway, here you can find more infos https://community.splunk.com/t5/Security/Forgot-Pass4symmKey/m-p/378993
Ciao.
Giuseppe
