A command-line tool for decrypting and exporting data from Aries Askar PostgreSQL wallets.
askardedum connects to PostgreSQL databases containing Aries Askar encrypted wallet data, decrypts all items using the provided passkey, and streams the decrypted data to JSON output. It supports both single-wallet and multi-tenant (sub-wallet) configurations.
- Decrypt Askar wallet data stored in PostgreSQL
- Support for multi-tenant wallets with sub-wallet databases
- Streaming output to handle large datasets with minimal memory usage
- JSON and JSON Lines (JSONL) output formats
- Profile filtering for targeted extraction
- Access to the PostgreSQL database containing the Askar wallet
- The wallet passkey used during wallet provisioning
- Network connectivity to the database server
# Native build
cargo build --release
# Cross-compile for Linux (from macOS)
cargo zigbuild --release --target x86_64-unknown-linux-muslThe binary will be located at:
- Native:
target/release/askardedum - Linux:
target/x86_64-unknown-linux-musl/release/askardedum
# Output to stdout
askardedum --db-uri "postgresql://user:pass@host:5432/wallet_db" \
--passkey "your_wallet_passkey"
# Output to file
askardedum --db-uri "postgresql://user:pass@host:5432/wallet_db" \
--passkey "your_wallet_passkey" \
--output wallet_data.jsonFor ACA-Py multi-tenant deployments with separate databases per sub-wallet:
askardedum --db-uri "postgresql://user:pass@host:5432/base_wallet" \
--passkey "your_wallet_passkey" \
--sub-wallets "tenant1_db,tenant2_db,tenant3_db"askardedum --db-uri "postgresql://user:pass@host:5432/wallet_db" \
--passkey "your_wallet_passkey" \
--profile "profile-uuid-here"# Export only first 1000 items per profile
askardedum --db-uri "postgresql://user:pass@host:5432/wallet_db" \
--passkey "your_wallet_passkey" \
--limit 1000| Option | Description |
|---|---|
--db-uri |
PostgreSQL connection URI (required) |
--passkey |
Wallet passkey/password (required) |
--output, -o |
Output file path (default: stdout) |
--sub-wallets |
Comma-separated list of sub-wallet database names |
--schema |
Database schema (default: "public") |
--profile |
Filter by specific profile name |
--limit |
Maximum items per profile (0 = unlimited) |
--format |
Output format: json or jsonl (default: json) |
--include-raw |
Include raw encrypted hex values for debugging |
[
{
"wallet_name": "wallet_db",
"profile_name": "e4b5c6d7-...",
"profile_id": 1,
"item_id": 123,
"kind": 2,
"category": "connection",
"name": "conn-abc123",
"value": {
"connection_id": "abc123",
"state": "active"
},
"tags": [
{"name": "state", "value": "active", "plaintext": true}
]
}
]Each item is output as a single line, useful for streaming processing:
{"wallet_name":"wallet_db","profile_name":"...","item_id":1,...}
{"wallet_name":"wallet_db","profile_name":"...","item_id":2,...}
# Pretty print with jq
askardedum --db-uri "..." --passkey "..." | jq .
# Filter specific categories
askardedum --db-uri "..." --passkey "..." | jq '[.[] | select(.category == "credential")]'
# Count items by category
askardedum --db-uri "..." --passkey "..." | jq 'group_by(.category) | map({category: .[0].category, count: length})'
# Save to file while viewing logs
askardedum --db-uri "..." --passkey "..." > output.json- Logs are written to stderr, JSON output to stdout
- The tool uses streaming to handle large datasets with minimal memory (~512MB is sufficient for 100,000+ items)
- For multi-tenant managed mode, sub-wallets may require derived keys depending on ACA-Py configuration
- Database connection URIs should be properly escaped if they contain special characters
This tool requires:
- Database access credentials
- The wallet encryption passkey
Both are sensitive. Ensure you:
- Use secure methods to pass credentials (avoid shell history)
- Run on trusted systems only
- Secure or delete output files containing decrypted data
Apache-2.0