how to secure and encrypt setting.xml paswords file in maven?

Asked 10/10, 2017 at 7:59 Answered 24/6, 2024 at 22:41

How to secure server/proxy settings in settings.xml in maven?

I assume this is mostly about login and passwords stored there and I assume that those can't be placed placed there explicitly, should they be stored in env variables/etc?

how should example of a secure settings.xml look?

Rhotacism answered 10/10, 2017 at 7:59 Comment(0)

You have 2 options:

1)If you need only use in settings.xml:

Execute:

mvn --encrypt-password <password>

You will get the encrypted password like this:

{COQLCE6DU6GtcS5P=}

You can use this password in you settings.xml:

<settings>
 ...
    <servers>
    ...
        <server>
          <id>my.server</id>
          <username>foo</username>
          <password>{COQLCE6DU6GtcS5P=}</password>
        </server>
    ...
    </servers>
...
</settings>

2)If you need to use in multiple uses:

Execute:

mvn --encrypt-master-password <password>

Yo will get the encrypted password like this:

{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}

Store this password in the ${user.home}/.m2/settings-security.xml it should look like:

<settingsSecurity>
      <master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
</settingsSecurity>

Rumsey answered 10/10, 2017 at 8:6 Comment(3)

Thanks for the example, can I somehow secure the master password location even more than in the /.m2/settings-security.xml file? – Rhotacism 10/10, 2017 at 9:28

I edited my post, if you need to use more than in settings.xml you can create the file /.m2/settings-security.xml – Rumsey 10/10, 2017 at 9:50

I have a password that contains both '!' and '@' symbol. Do I need to escape these like this- \!\password\@\text ? – Chalaza 29/6, 2021 at 19:41

If a settings.xml is shared (maybe it's a 'team' file, maybe it sits on a shared build/CI box) then sensitivie details within it - specifically passwords - can (should :) be encrypted.

Create a master password:

mvn --encrypt-master-password <password>

Add the master password to settings-security.xml
Encrypt your password
```
mvn --encrypt-password <password>
```
Add the encrypted value to your settings.xml

More details in the docs.

Adscription answered 10/10, 2017 at 8:7 Comment(3)

Master password is indeed required. Can it be even further secured than just encrypted hash in settings-security.xml? – Rhotacism 10/10, 2017 at 9:29

Not that I'm aware of. This approach does rely on keeping your settings-security.xml safe. The docs make mention of this: "For an extra level of security, you can encourage your developers to store the encrypted master password on a removable storage device like a USB hard drive". – Adscription 10/10, 2017 at 9:47

If you using on a CI server you should let handle that the CI tool for example jenkins using config file provider im combination with credentials store... – Stalagmite 11/10, 2017 at 7:26

Latest Maven version require settings-security.xml file to be in same folder as settings.xml.

Below command is used to create one encryption key based on initial password.

step 1:

mvn --encrypt-master-password <TYPE_YOUR_RANDOM_PASSWORD_HERE>

then whatever you get in result {xxx=}, copy that and paste in settings-security.xml

eg.

 <settingsSecurity>
        <master>{wf345sdfsdfasdaddf4343+xA=}</master>
 </settingsSecurity>

step 2: run below command to encrypt your actual password

mvn --encrypt-password <ACTUAL_SERVER_PASSWORD>

then whatever you get in result paste that in your settings.xml attribute. eg.

<server>
      <id>maven-xyz-public</id>
       <username>user_name</username>
      <password>{wfdsff43534sdfdsfd=}</password>
</server>

Indigoid answered 22/11, 2022 at 10:42 Comment(2)

Are you soure about your first statement? "Latest Maven version require settings-security.xml file to be in same folder as settings.xml." I am running maven 3.8.5 and switch to project specific settings.xml: "mvn -s c:\path\to\my\settings.xml ..." but maven requires my settings-security.xml still in my users home directory c:\users\<me>\.m2 – Roentgenoscope 25/5, 2023 at 16:46

I Remember it was 3.6 or 3.5 version when i posted this comment. – Indigoid 20/6, 2023 at 5:12

I did some tooling to facilitate the work, available here : https://github.com/robert35/mvncypherutilities/tree/main

(sample app, a maven plugin(pojo), a gui to open / encode/ decode / update / encode / save the settings.xml

1-edit the settings.xml (a sample is given in the project) and put the encrypted variable like ("#{...} pattern"):

...<profiles>
    <profile>
        <id>production</id>
        <activation>
            <!-- do not use activeByDefault option, if a profile is set on the command line, and
            it will, the profile activated by default is skipped, prefer this way-->
            <property>
                <name>!foobarenvironment</name>
            </property>
        </activation>
        <properties>
                            <mvn.settings.profile.production.foo.bar.datasource.url>#{3DPHAwEc7soHNI4hRTa/j3ETCtfEtlK/WaKPuuwnyKBoQ+tzPirR0Okhy9QEUTgWnwl4clMkO3Iv/j29HAM+WA==}</mvn.settings.profile.production.foo.bar.datasource.url>
        ...</properties>...

2-get the variable value from the pom using the pojo plugin dependency wich decode the variable at PROCESS_SOURCES phase by default

<build>
    <plugins>
        <plugin>
            <groupId>com.epsilon777.mvncypherutilities</groupId>
            <artifactId>mvndecrypt</artifactId>
            <version>0.0.1-SNAPSHOT</version>
            <executions>
                <execution>
                    <goals>
                        <goal>decrypt-properties</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>

3-and in your pom :

        ...<properties>
            <pom.foo.bar.datasource.url>${mvn.settings.profile.production.foo.bar.datasource.url}</pom.foo.bar.datasource.url>

-4 now the decoded value is available by maven for example in the property file in the ressource folder :

[email protected]@

but unfortunately if someone has access to the jar those variables will be accessible unless you put them on the command line...

(furthermore you can relocate your settings-security.xml to use the relocation option to redirect to a usb volume...)

You will also have acces to a GUI editor to encrypt all the file in one time (by hand each password encryption is tedious and you don't remember what it refernces...)

Billhook answered 24/6, 2024 at 22:41 Comment(0)

Recommended topics

Hot tags