Plesk uses symmetrical encryption for many passwords in its internal MySQL database “psa”. There are several decryption scripts exist, but none for Plesk on Windows so far. This blog post is to finally change it.

You can find symmetrically encrypted passwords in these tables in Plesk’s “psa” database:

• accounts (collumn password)
• databaseservers (collumn admin_password)
• dsn (collumn cstring)
• longtaskparams (a record called oldBackupkey – a parameter for backup-encrypt-task (see the longtasks table))
• misc (collumn aps_password)
• servicenodeconfiguration (collumn value for the section MailGate / password)
• smb_users (collumn password)

Symmetrically encrypted passwords look like this: “$AES-128-CBC$ABNK35ZcqnbTYT4Q3mbaEA$HmGDWmtym6K3+kJ8uBoJOg”:
They start with “$AES-128-CBC$”. Then between the second and the third dollar signs there is an AES initialization vector. After that, until the end of the string, we have the encrypted data itself.

In Linux the symmetric key, which Plesk uses to encrypt all these passwords, is located in /etc/psa/private/secret_key. In Windows they put it in registry: HKLM:\SOFTWARE\WOW6432Node\PLESK\PSA Config\Config\sym_key\sym_key

To retrieve an encrypted password, use your favorite MySQL tool to connect to the database and copy it from there.

Copy a password you want to decrypt and pass in to the -EncryptedString parameter of the script below. Mind, that you must run the script on the same server where you have that instance of Plesk installed, otherwise it won’t be able to extract the symmetric key. If you want to decrypt passwords on a different machine, you need to pass the symmetric key manually to the script’s -SymmetricKey parameter.

See also:

https://gist.github.com/gnanet/99f5e284c0f71032498625368ba67659
https://www.besuchet.net/2016/06/plesk-11-encrypted-hashed-password-authentication-php-on-psa-database/
https://mor-pah.net/2014/03/05/decrypt-plesk-11-passwords/
https://codeforcontent.com/blog/using-aes-in-powershell/