loading...

How to Encrypt your Maven Password

scottshipp profile image scottshipp ・2 min read

Although Maven documentation has a whole page on their password encryption feature, it doesn't actually tell you how to do what you need to do to encrypt Maven passwords.

What am I talking about?
If you have authentication to Maven repos in your organization, you normally store the username and password in the Maven settings file located by default at ~/.m2/settings.xml.

For example, I might have something like this in my settings.xml:

<servers>
    <server>
      <id>myorg-internal-repo</id>
      <username>scott.shipp</username>
      <password>notMyRealPasswordForAnything</password>
    </server>
</servers>

Obviously, storing a password in a clear-text file like this is foolish.

carpenter_1_md

How to encrypt and replace the password
To remedy this issue, follow these steps:

Create a master password

  1. First, you must create a master password that is used to encrypt all the other Maven passwords. Start by opening a terminal.
  2. Type:
    $ mvn --encrypt-master-password
  3. You will be prompted for a master password. Enter the password here.
  4. Maven will spit out a big long string like this:
    {w5+NYEttGTAHV3FanFoel4N5uUmbcvtzRoWZHI5N97jtssbo0O/93W/XLlm0caeM}
    

Keep this terminal window open while you do the next step.

Store the master password

  1. Create a file called settings-security.xml in the ~/.m2 directory.
  2. Copy/paste the following block into the new file:
    <settingsSecurity>
      <master></master>
    </settingsSecurity>
    
  3. Copy/paste the big long encrypted string that Maven spit out in the previous steps in between the <master> tags. You'll end with something like this:
    <settingsSecurity>
      <master>{w5+NYEttGTAHV3FanFoel4N5uUmbcvtzRoWZHI5N97jtssbo0O/93W/XLlm0caeM}</master>
    </settingsSecurity>
    
  4. Save the security-settings.xml file, obviously!

Encrypt your password

  1. In the given example, the settings.xml server entry has a password of 'notMyRealPasswordForAnything'. This is what we want to encrypt. So open a terminal if you aren't already in one.
  2. Type:
    $ mvn --encrypt-password
    
  3. Enter the password you want to encrypt (in our fake example scenario, it's 'notMyRealPasswordForAnything').
  4. Maven will spit out an encrypted string that looks similar to the encrypted string it spit out for the master password.
  5. Copy the new string it spit out.
  6. Open the settings.xml file.
  7. Delete the current password between the <password> tags.
  8. Paste in the new encrypted version.
  9. Save the file.
  10. Verify that Maven can still access the repo in question.

You're all done! Smart!

Posted on by:

scottshipp profile

scottshipp

@scottshipp

AWS, Spring Boot, Core Java, and backend developer.

Discussion

markdown guide
 

Hi,
based on your article I assume there is something in the documentation is not that clear as it should be. This means there is room for improvement.

It would be great if you could create a pull request to fix the issue in the documentation if you like.

If you don't like it is ok too.

Apart from that your article is explaining it very well.

Kind regards
Karl Heinz Marbaise
Apache Maven PMC

 

Hi, thanks for the tutorial. What I don't get is what are the benefits of this approach? If someone has access to your settings xml file, wouldn't they also have access to your security-settings.xml? Both are in .m2 according to your tutorial.

 

Hi Ivan,

the location for settings.xml and security-settings.xml is by default your home directory ($HOME/.m2/) which is by default secured by your login (username/password). This is the first barrier and the second one of course is, as Scott wrote is that in none of them is a clear text password.

Kind regards
Karl Heinz Marbaise

 

Ah, ok. So you are prompted for the master password when you try to get a dependency from your repo?