Maven 2.1.0+ now supports server password encryption. The main use case, addressed by this solution is:
The implemented solution adds the following capabilities:
Use the following command line:
mvn --encrypt-master-password <password>
Note: This will not prompt for a password, so it must be typed on the command-line in plaintext. See Tips below for more information.
This command will produce an encrypted version of the password, something like
{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}Store this password in the ~/.m2/settings-security.xml; it should look like
<settingsSecurity>
<master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
</settingsSecurity>When this is done, you can start encrypting existing server passwords.
You will have to use the following command line:
mvn --encrypt-password <password>
This command will produce an encrypted version of it, something like
{COQLCE6DU6GtcS5P=}Cut-n-paste it into your settings.xml file in the server section. This will look like:
<settings>
...
<servers>
...
<server>
<id>my.server</id>
<username>foo</username>
<password>{COQLCE6DU6GtcS5P=}</password>
</server>
...
</servers>
...
</settings>Please note that password can contain any information outside of the curly brackets, so that the following will still work:
<settings>
...
<servers>
...
<server>
<id>my.server</id>
<username>foo</username>
<password>Oleg reset this password on 2009-03-11, expires on 2009-04-11 {COQLCE6DU6GtcS5P=}</password>
</server>
...
</servers>
...
</settings>Then you can use, say, deploy plugin, to write to this server:
mvn deploy:deploy-file -Durl=https://maven.corp.com/repo \
-DrepositoryId=my.server \
-Dfile=your-artifact-1.0.jar \Create the master password exactly as described above, and store it on a removable drive, for instance on OSX, my USB drive mounts as /Volumes/mySecureUsb, so I store
<settingsSecurity>
<master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
</settingsSecurity>in the file /Volumes/mySecureUsb/secure/settings-security.xml
And then I create ~/.m2/settings-security.xml with the following content:
<settingsSecurity> <relocation>/Volumes/mySecureUsb/secure/settings-security.xml</relocation> </settingsSecurity>
This assures that encryption will only work when the usb drive is mounted by OS. This addresses a use case where only certain people are authorized to deploy and are issued these devices.
At times, you might find that your password (or the encrypted form of it) may actually contain '{' or '}' as a literal value. If you added such a password as-is to your settings.xml file, you would find that Maven does strange things with it. Specifically, Maven will treat all the characters preceding the '{' literal, and all the characters after the '}' literal, as comments. Obviously, this is not the behavior you want in such a situation. What you really need is a way of escaping the curly-brace literals in your password.
Starting in Maven 2.2.0, you can do just this, with the widely used '\' escape character. If your password looks like this:
jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+{EF1iFQyJQ=Then, the value you would add to your settings.xml would look like this:
{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+\{EF1iFQyJQ=}Editing settings.xml and running the above commands can still leave your password stored locally in plaintext. You may want to check the following locations:
Also note that the encrypted passwords can be decrypted by someone that has the master password and settings security file. Keep this file secure (or stored separately) if you expect the possibility that the settings.xml file may be retrieved.