Maven keeps confidential data such as passwords in settings.xml
. For example, in the previous two sections, the passwords for the proxy server and the repository are kept in cleartext. The following configuration repeats the server configuration of a repository secured with HTTP Basic authentication:
<server> <id>central</id> <username>my_username</username> <password>my_password</password> </server>
More details about encrypting Maven passwords can be found at http://maven.apache.org/guides/mini/guide-encryption.html.
Keeping confidential data in configuration files in cleartext is a security threat that must be avoided. Maven provides a way to encrypt configuration data in settings.xml
, which is as follows:
$ mvn -emp mymasterpassword {lJ1MrCQRnngHIpSadxoyEKyt2zIGbm3Yl0ClKdTtRR6TleNaEfGOEoJaxNcdMr+G}
settings-security.xml
under USER_HOME/.m2/
and add the encrypted master password there as shown here:<settingsSecurity> <master> {lJ1MrCQRnngHIpSadxoyEKyt2zIGbm3Yl0ClKdTtRR6TleNaEfGOEoJaxNcdMr+G} </master> </settingsSecurity>
settings.xml
. Let's see how to encrypt the server password. First, we need to generate the encrypted password for the cleartext one using the following command. Note that, earlier we used emp
(encrypt master password) and now we are using ep
(encrypt password):$ mvn -ep my_password {PbYw8YaLb3cHA34/5EdHzoUsmmw/u/nWOwb9e+x6Hbs=}
settings.xml
file, as shown here:<server> <id>central</id> <username>my_username</username> <password> {PbYw8YaLb3cHA34/5EdHzoUsmmw/u/nWOwb9e+x6Hbs=} </password> </server>
settings-security.xml
under USER_HOME/.m2/
:<settingsSecurity> <relocation> /Volumes/MyUSBPEN/settings-security.xml </relocation> </settingsSecurity>
For any inquisitive mind, there remains a question. How does Maven encrypt the password? What is the key used to encrypt the master password and where does Maven keep it?
Maven uses AES 128 with the PBE SHA-256 algorithm for encryption. Password-Based Encryption (PBE) is a way of performing symmetric key encryption using a password or a passphrase. Once Maven gets the master password in cleartext, it will calculate the salted hash against it using the SHA256 algorithm. This will be performed for a few iterations to end up with the encrypted master key. Even though we call it encrypted, it is not really encrypted using another key.
If you run the following command multiple times against the same cleartext password, you will end up with different encrypted passwords each time. The reason is that each time you run the command, Maven generates a random salt value and uses this to derive the encrypted master key:
$ mvn -emp mymasterpassword
To encrypt confidential data in settings.xml
, Maven uses this master key along with the AES 128-bits symmetric-key encryption algorithm. Anyone with access to the master key will be able to decrypt all the encrypted passwords kept in settings.xml
.
3.144.38.92