Posted in Maven

How to encrypt User Passwords in Maven ~/.m2/settings.xml File

Introduction

Here I will show you how to encrypt user passwords in maven’s ~/.m2/settings.xml file. The user here is the person who is going to access the remote maven’s protected repository.

The maven’s configuration or setting file, settings.xml , which contains all the required configurations such as repository, server etc will be updated here.

Problem

Let’s say, when you as a user want to access the protected repository then you need to use your credentials (username/password) to access the repository for downloading required jar files. These jar files or libraries are downloaded when they are included in the project’s pom.xml and when you run build on the project using maven tool.

So people may be disturbed by leaving unencrypted passwords in the ~/.m2/settings.xml file in a production system.

Once you start to use maven to deploy software to remote repositories and to interact with source control systems directly, you will start to put a number of passwords into maven ~/.m2/settings.xml file and without a mechanism for encrypting these passwords.

Therefore the ~/.m2/settings.xml file quickly becomes a security risk as it contains plain-text passwords to source control and repository managers.

Solution

Luckily maven 2.1 version onward provides a facility to encrypt passwords in ~/.m2/settings.xml file.

The main use case, addressed by this solution is:

  • multiple users share the same build machine (server, CI box)
  • some users have the privilege to deploy Maven artifacts to repositories, some users don’t have.
    • this applies to any server operations, requiring authorization, not only deployment
  • settings.xml is shared between users

The implemented solution adds the following capabilities:

  • authorized users have an additional ~/.m2/settings-security.xml file
  • this file either contains encrypted master password, used to encrypt other passwords or it can contain a relocation – reference to another file, possibly on removable storage
  • this password is created first via CLI for now
  • server entries in the ~/.m2/settings.xml have passwords and/or keystore passphrases encrypted
  • for now – this is done via CLI after master password has been created and stored in appropriate location

Implementation

To configure encrypted passwords, create a master password by running mvn --encrypt-master-password followed by your choice of master password.

For example, you can execute the command into command prompt as:

mvn --encrypt-master-password <master password>

Maven prints out an encrypted copy of the password to standard output, i.e., command prompt. Copy this encrypted password and paste it into a ~/.m2/settings-security.xml file.

For example, your settings-security.xml file may look like similar to below:

<settingsSecurity>
	<master>{QeHdkBDuA30HULnWQdLwXML+svDJpdH4rlS1RZ6omZ4=}</master>
</settingsSecurity>

Where {QeHdkBDuA30HULnWQdLwXML+svDJpdH4rlS1RZ6omZ4=} is the encrypted master password you had generated earlier.

After you have created a master password, you can then encrypt passwords for use in your Maven Settings. To encrypt a password with the master password, run mvn --encrypt-password followed by your password.

For example, you need to execute the following command into command prompt:

mvn --encrypt-password <password>

Then you have to use the above encrypted password into your ~/.m2/settings.xml file. For example,

<servers>
		<server>
			<id>nexus</id>
			<username>
				<username>
			</username>
			<password>
				{kd2WsF7hXDwHDsvlAE7sbp7cGB2VWkVz/hJxFCPYcio=}
			</password>
		</server>
...
</servers>

Where {kd2WsF7hXDwHDsvlAE7sbp7cGB2VWkVz/hJxFCPYcio=} is the encrypted password you have generated in previous step.

When you run a Maven build that needs to interact with the repository manager, Maven will retrieve the Master password from the ~/.m2/settings-security.xml file and use this master password to decrypt the password stored in your ~/.m2/settings.xml file. Maven will then send the decrypted password to the server.

It allows you to avoid storing your plain text passwords in ~/.m2/settings.xml and providing you with the peace of mind that your critical passwords are not being stored in unprotected manner in a Maven Settings file.

Keep in mind that this feature does not provide encryption of the password while it is being sent to the remote server. An enterprising attacker could still capture the password using a network analysis tool.

For an extra level of security, you can store the encrypted master password on a removable storage device like a USB hard drive. Using this method, you would plug a removable drive into a workstation when you want to perform a deployment or interact with a remote server.

For complete example please go through the procedure put down at the Apache Maven Documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *