Frequently Asked Questions
How can I recover a user's password or API key?
From Conjur v4.6.0 onwards, rotating a forgotten API key is our recommended practice. API keys can be retrieved by running a command on the Conjur master in earlier versions. Passwords are unrecoverable because they are hashed, not encrypted, in the database.
Once you have rotated or recovered an API key, you can use the new key to log in as the user and update their password.
Conjur v4.6.0 and newer
Rotating a user's API key requires that you have "update" privilege on the user.
Run this Conjur CLI command: a new key is generated and printed out.
$ conjur user rotate_api_key --user dennis 2q3ccnc1qjvt4b38fhb0nx8qh2e2y38n4d1nnjpy9vh27j31anejma
Conjur v4.5.x and older
To retrieve a user's API key, SSH onto a Conjur server (master or follower) and run these commands:
$ sudo su conjur -l $ docker exec -it conjur-appliance bash # ./scripts/conjur authn rails runner "puts User['dennis'].api_key" 2q3ccnc1qjvt4b38fhb0nx8qh2e2y38n4d1nnjpy9vh27j31anejma
Now you can log in with the user's new API key and update their password:
$ conjur authn login -u dennis -p 2q3ccnc1qjvt4b38fhb0nx8qh2e2y38n4d1nnjpy9vh27j31anejma $ conjur user update_password -p mynewpassword