A standalone Python utility that reproduces SailPoint IdentityIQ’s configuration decryption logic. The script mirrors the Java Transformer, SPKeyStore, and AsyncHandler classes so that operators can recover the plaintext values of alias:ACP:<Base64> secrets without launching an IIQ instance.
- Default-key decryption for
1:ACP:secrets using the globally shipped AES key. - Keystore-backed decryption for aliases
2+by unmaskingiiq.cfg, unlockingiiq.dat, and extracting the per-alias AES keys. - Keystore inspection (
--list-keys) to verify which aliases are present before attempting decryption.
- Python 3.9+
pip install -r requirements.txtto fetch pycryptodome and pyjks
Use when the encrypted value starts with alias 1 and no iiq.cfg or iiq.dat is available:
python3 iiq_decrypt.py '1:ACP:wT9...'When an alias 2+ value is encountered, provide paths to the matching iiq.cfg (masked password) and iiq.dat (JCEKS) so the script can derive the correct AES key:
python3 iiq_decrypt.py '2:ACP:azY...' --cfg /path/to/iiq.cfg --keystore /path/to/iiq.datInspect the keystore contents before decrypting:
python3 iiq_decrypt.py --cfg /path/to/iiq.cfg --keystore /path/to/iiq.dat --list-keys- The tool performs strict format validation and will abort with descriptive errors if Base64 decoding, padding, or key lookup fails.
- Alias comparison is case-sensitive; the literal string
asciishort-circuits to return the stored value unchanged, matching IIQ’s behavior. - Possession of
iiq.cfgandiiq.datis effectively equivalent to possession of the plaintext secrets. Handle these files and any decrypted output with the same controls you would apply to credential material.