Skip to end of metadata
Go to start of metadata

Maven 2.1.x trunk now supports server password decryption. This solution is a first implementation and will be enhanced and made more user-friendly in the nearest future. What is described here is working, but not too user-friendly, a Maven plugin to address password maintenance is in the works.

The main use case, addressed by this solution is:

  • multiple users share the same build machine (server, CI box)
  • some users have the privilege to deploy Maven artifacts to repositories, some don't.
    • this applies to any server operations, requiring authorization, not only deployment
  • settings.xml is shared between users

The implemented solution adds the following:

  • authorized users have an additional settings-security.xml file in their ~/.m2 folder
    • this file either contains encrypted master password, used to encrypt other passwords
    • or it can contain a relocation - reference to another file, possibly on removable storage
    • this password is created first via CLI for now
  • server entries in the settings.xml have passwords and/or keystore passphrases encrypted
    • for now - this is done via CLI after master password has been created and stored in appropriate location

How to create master password

All necessary classes are in the maven uber jar which is in ${maven.home}/lib

Use the following command line:

This command will prompt you for the master password and will produce an encrypted version of it, something like

Please store this password in the ~/.m2/settings-security.xml; it should look like

When this is done, you can start encrypting existing server passwords.

How to encrypt server passwords

You will have to use the same command line tool as for master password (see above), but parameter is different - -p

Use the following command line:

This command will prompt you for a password and will produce an encrypted version of it, something like

Cut-n-paste it into you settings.xml file in the server section. This will look like:

Then you can use, say, deploy plugin, to write to this server:

How to keep master password on a removable drive

Create the master password exactly as described above, and store it on a removable drive, for instance on OSX, my USB drive mounts as /Volumes/mySecureUsb, so I store

in the file /Volumes/mySecureUsb/secure/settings-security.xml

And then create ~/.m2/settings-security.xml with the following content:

This assures that encryption will only work when the usb drive is mounted by OS. This addresses a use case where only certain people are authorized to deploy and are issued these devices.

  • No labels