How to decrypt Plesk passwords on Windows

Plesk uses symmetrical encryption for many passwords in its internal MySQL database “psa”. There are several decryption scripts exist, but none for Plesk on Windows so far. This blog post is to finally change it.

You can find symmetrically encrypted passwords in these tables in Plesk’s “psa” database:

  • accounts (collumn password)
  • databaseservers (collumn admin_password)
  • dsn (collumn cstring)
  • longtaskparams (a record called oldBackupkey – a parameter for backup-encrypt-task (see the longtasks table))
  • misc (collumn aps_password)
  • servicenodeconfiguration (collumn value for the section MailGate / password)
  • smb_users (collumn password)

Symmetrically encrypted passwords look like this: “$AES-128-CBC$ABNK35ZcqnbTYT4Q3mbaEA$HmGDWmtym6K3+kJ8uBoJOg”:
They start with “$AES-128-CBC$”. Then between the second and the third dollar signs there is an AES initialization vector. After that, until the end of the string, we have the encrypted data itself.

In Linux the symmetric key, which Plesk uses to encrypt all these passwords, is located in /etc/psa/private/secret_key. In Windows they put it in registry: HKLM:\SOFTWARE\WOW6432Node\PLESK\PSA Config\Config\sym_key\sym_key

To retrieve an encrypted password, use your favorite MySQL tool to connect to the database and copy it from there.


To learn how to connect to the “psa” database, see this and also here.

Copy a password you want to decrypt and pass in to the -EncryptedString parameter of the script below. Mind, that you must run the script on the same server where you have that instance of Plesk installed, otherwise it won’t be able to extract the symmetric key. If you want to decrypt passwords on a different machine, you need to pass the symmetric key manually to the script’s -SymmetricKey parameter.

See also:

2 thoughts on “How to decrypt Plesk passwords on Windows”

  1. Thank you,

    This script helps me migrate a Plesk server that had a shared SmarterMail server with many thousands of accounts.

    I had to modify your code to build a new file that would encrypt a password into the Plesk format (to import the password taken from server #1 into the server #2 database).

    It would be great is you could update you code with an extra parameter so it could do both, encrypt and decrypt.

    – ConvertFrom-PleskSymmetricallyEncryptedString.ps1 decrypt ‘$AES-128-CBC$base64_IV$base64_data’
    – ConvertFrom-PleskSymmetricallyEncryptedString.ps1 encrypt ‘mypassword’

Leave a Reply

Your email address will not be published. Required fields are marked *