Recovering Splunk Passwords

Splunk’s passwords can be decrypted.

Splunk provides the means to decrypt the passwords.

This trick is useful for times where your old admin didn’t share the pass4SymmKey or other “encrypted” fields in the config. This method became possible after 6.3.0 when passwords.conf was introduced.

Splunk Password Basics

Splunk provides a nice write up of how secrets are stored within configuration files on the file system. It’s important to note that when a clear-text password is detected in a “secret” field, the next restart of Splunk will cause this value to become encrypted using the splunk.secret value. This value is generated upon first install and is normally different between Splunk installations, meaning that your encrypted values would be different even if the original clear-text value was identical.


Add a passwords.conf file in your favorite config directory, ie. /opt/splunk/etc/apps/search/local/passwords.conf, with the following contents.


The example from my test instance.

Debug Refresh

Perform a debug refresh to force Splunk to load this new file into active config. Perhaps a restart if you’re getting a Forbidden on this link. (Free users)


Splunk API for Clear Text

Use the Splunk API to view all the passwords (the one you just added) managed by Splunk via passwords.conf.


You’ll find the clear-text in the clear_password field.

Hope this helps with recovering an unknown password.

Upgrade Untangle – Fixing Broken Auto-Updates

Untangle is a firewall product that I use to manage my network and prevent my kids from accessing certain sites or categories of content. I also use it to shut off internet access to certain devices past certain hours or when I’m given attitude.

Unfortunately, the Home Version of Untangle does not get any support and updates are often promised as “they’ll be pushed out soon.” After rolling with version 12.1 for multiple years, I investigated the upgrade process and have documented the steps I followed to get to the most recent version.

Note: Upgrades MUST be in sequential order. Breaking changes may have been made between versions. Upgrading sequentially will ensure that your current Untangle server and all of its configurations will remain intact. Upgrading out of order may cause you to lose config or worse.

Enable SSH

Please refer to the Untangle Wiki to enable SSH – This is required to edit the apt lists.

Upgrade Path

This is the order in which the Untangle server must be upgraded. Jessie->Jessie and Stretch->Stretch upgrades do not require a restart. The upgrade from Debian Jessie to Debian Stretch will require a reboot.


  • stihl-2
  • beat
  • beat-1
  • jims
  • jims-1
  • 13.2.0
  • 13.2.1


  • 14.0.0
  • 14.0.1
  • 14.1.0
  • 14.1.1
  • 14.1.2
  • 14.2.0

Edit Apt Sources

Untangle Only Upgrade Steps

  1. sed -I “s/$current_version/$next_version/g” /etc/apt/sources.list.d/untangle.list and bump release code name (or number) to next release
    • IE. stihl-2 would be $current_version and beat would be $next_version.
  2. Log into the Untangle UI.
  3. Select Config -> Upgrade and wait for the system to finish checking upgrades. It should have found a new version and you can click the “Upgrade Now” button.

Jessie to Stretch Upgrade

Upgrading from 13.2.1 to 14.0.0 requires a full OS upgrade from Debian Jessie to Debian Stretch. Please follow these steps for this one time upgrade and return to the steps above for subsequent upgrades from 14.0.0 to 14.2.0.

  1. sed -I “s/$current_version/$next_version/g” /etc/apt/sources.list.d/untangle.list and bump release code name (or number) to next release.
    • IE. 13.2.1 would be $current_version and 14.0.0 would be $next_version.
  2. sed -I “s/jessie/stretch/g” /etc/apt/sources.list.d/untangle.list
  3. I’m not sure if this is necessary, but I did it anyways and it did not hinder the upgrades.
    • sed -I “s/jessie/stretch/g” /etc/apt/preferences.d/00default-debian.pref
  4. Return to Untangle Only Upgrade Steps to finish upgrading through the versions


I’ve seen many times during the upgrade process a page that continually refreshes that says “Upgrade in progress…. Do not reboot.” Please verify that the upgrade is complete before attempting the steps below. You can verify the upgrade by via tail -f /var/log/uvm/upgrade.log.

Stop the Splash Screen

/usr/share/untangle/bin/ut-show-upgrade-splash stop

If this does not fix the issue, continue to the next step.

Restart Untangle VM

/etc/init.d/untangle-vm restart

PrivateBin Instance

When the insurance company asks you to email your policy information and driver’s license information, what do?  I’d recommend not sending it.  I set up this instance of PrivateBin for myself so that when information needs to be securely sent, I now have a method to share those items.

PrivateBin allows the following:

  • Password protection of the content
  • Automatic deletion of the content after a certain time
  • Burn after reading (the content can only be opened once)
  • Encrypted storage (and encryption in transit)
  • Support for plaintext, source code and Markdown
  • Discussion

This instance can be accessed here: