Maven 2.1.x trunk now supports server password decryption. This solution is a first implementation and will be enhanced and made more user-friendly in the nearest future. What is described here is working, but not too user-friendly, a Maven plugin to address password maintenance is in the works.
The main use case, addressed by this solution is:
- multiple users share the same build machine (server, CI box)
- some users have the privilege to deploy Maven artifacts to repositories, some don't.
- this applies to any server operations, requiring authorization, not only deployment
- settings.xml is shared between users
The implemented solution adds the following:
- authorized users have an additional settings-security.xml file in their ~/.m2 folder
- this file either contains encrypted master password, used to encrypt other passwords
- or it can contain a relocation - reference to another file, possibly on removable storage
- this password is created first via CLI for now
- server entries in the settings.xml have passwords and/or keystore passphrases encrypted
- for now - this is done via CLI after master password has been created and stored in appropriate location
How to create master password
All necessary classes are in the maven uber jar which is in ${maven.home}/lib
Use the following command line:
java -cp maven-2.1.0-M2-SNAPSHOT-uber.jar org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher -m
This command will prompt you for the master password and will produce an encrypted version of it, something like
{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}
Please store this password in the ~/.m2/settings-security.xml; it should look like
<settingsSecurity>
<master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
</settingsSecurity>
When this is done, you can start encrypting existing server passwords.
How to encrypt server passwords
You will have to use the same command line tool as for master password (see above), but parameter is different - -p
Use the following command line:
java -cp maven-2.1.0-M2-SNAPSHOT-uber.jar org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher -p
This command will prompt you for a password and will produce an encrypted version of it, something like
{COQLCE6DU6GtcS5P=}
Cut-n-paste it into you settings.xml file in the server section. This will look like:
<settings>
...
<servers>
...
<server>
<id>my.server</id>
<username>foo</username>
<password>{COQLCE6DU6GtcS5P=}</password>
</server>
...
</servers>
...
</settings>
Then you can use, say, deploy plugin, to write to this server:
mvn deploy:deploy-file -Durl=https://maven.corp.com/repo \
-DrepositoryId=my.server \
-Dfile=your-artifact-1.0.jar \
How to keep master password on a removable drive
Create the master password exactly as described above, and store it on a removable drive, for instance on OSX, my USB drive mounts as /Volumes/mySecureUsb, so I store
<settingsSecurity>
<master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
</settingsSecurity>
in the file /Volumes/mySecureUsb/secure/settings-security.xml
And then create ~/.m2/settings-security.xml with the following content:
<settingsSecurity> <relocation>/Volumes/mySecureUsb/secure/settings-security.xml</relocation> </settingsSecurity>
This assures that encryption will only work when the usb drive is mounted by OS. This addresses a use case where only certain people are authorized to deploy and are issued these devices.