/ppp secret add name="john.doe" password="..." service=pppoe The ... indicates a redacted value. This is intentional—export files may be stored in logs, backups, or transmitted over insecure channels. There is no direct export flag to show passwords. Instead, you must use one of these methods. 1. Using the print Command with detail and without-paging The print command can display passwords in plaintext if the show-sensitive parameter is available (introduced in RouterOS v6.44+). For older versions, you need a different approach.
/file print where name="secrets.txt" However, this still hides passwords in older versions. The only reliable method is to use the /ppp secret export command in a safe environment where the configuration is stored in plaintext? Actually, no—export always hides.
Flags: X - disabled 0 name="john.doe" password="MyPlainPass123" service=pppoe profile=default show-sensitive works for print , not for export . 2. Dumping via Script and File System (For Older Versions) If your RouterOS lacks show-sensitive , you can script a manual dump: mikrotik export ppp secrets with password
Understanding these nuances ensures you can perform necessary administrative tasks without compromising security.
secrets = api.path('ppp', 'secret') for secret in secrets: print(f"Name: secret['name'], Password: secret.get('password', 'None')") /ppp secret add name="john
/ppp secret print detail show-sensitive Example output:
This article explores the technical methods, security implications, and best practices for exporting PPP secrets with passwords. MikroTik RouterOS hides passwords in exports to prevent sensitive data leakage. For example: There is no direct export flag to show passwords
Introduction MikroTik RouterOS is widely used for PPP (Point-to-Point Protocol) services such as PPPoE, PPTP, L2TP, SSTP, and OpenVPN. The /ppp secret configuration stores user credentials—username and password—for authentication. By default, when you run an export command, passwords are hidden (displayed as password="..." ). This security measure prevents accidental exposure. However, legitimate scenarios (migration, backup automation, auditing) require exporting secrets with plaintext passwords.