Maven supports server password encryption. Password should be always confidential and in case of Maven, it needs password to be included in the settings.xmland clear text password should be encrypted in following scenarios,

  • Build machine (server, CI box) is shared between multiple users
  • Users have different privilege to deploy Maven artifacts to repositories, this applies to any server operations, requiring authorization, not only deployment
  • settings.xml is shared between users

Maven uses following command for master password encryption,

// for master password encryption
mvn --encrypt-master-password <password>

// for server password encryption
mvn --encrypt-password <password>

Above command will produce an encrypted version of the password like below,

{jSMOWnoPGsiasjYRhagUHnasIOWGpI8u+9EF1iFQyJQ=}

Example of Encrypted password added in server section of settings.xml file

<settings>
...
  <servers>
...
    <server>
      <id>my.server</id>
      <username>talksinfo</username>
      <password>{TUSDKSBGFSVNS6376GtcS5P=}</password>
    </server>
...
  </servers>
...
</settings>

Please note that password can contain any information outside of the curly brackets, so that the following will still work:

<settings>
...
  <servers>
...
    <server>
      <id>my.server</id>
      <username>talksinfo</username>
      <password>reset this password on 2020-11-11, expires on 2020-11-12 {TUSDKSBGFSVNS6376GtcS5P=}</password>
    </server>
...
  </servers>
...
</settings>

Some tweaks have been provided by Maven to use encrypted master password. Encrypted password can be stored in following file ${user.home}/.m2/settings-security.xml as below,

<settingsSecurity>
  <master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
</settingsSecurity>

How to keep the master password on removable drive

Create the master password exactly as described above, and store it on a removable drive, for instance on OSX, my USB drive mounts as /Volumes/mySecureUsbDrive, so I store as

<settingsSecurity>
  <master>{IYEsdjspmqyHBjsjdksdbyaHJAFQyJQ=}</master>
</settingsSecurity>

in the file /Volumes/mySecureUsbDrive/secure/settings-security.xml

And then I create ${user.home}/.m2/settings-security.xmlwith the following content:

<settingsSecurity>
  <relocation>/Volumes/mySecureUsbDrive/secure/settings-security.xml</relocation>
</settingsSecurity>

This assures that encryption only works when the USB drive is mounted by the OS. This addresses a use case where only certain people are authorized to deploy and are issued these devices.

Password Escaping on different platforms

On some platforms it might be necessary to quote the password if it contains special characters like %!$, etc. For example on Windows you have to be careful about things like the following:

The following example will not work on Windows:

mvn --encrypt-master-password a!$%^b

whereas the following will work on Windows:

mvn --encrypt-master-password "a!$%^b"

If you are on a linux/unix platform you should use single quotes for the above master password. Otherwise the master password will not work (caused by the dollar sign and the exclamation mark).

Conclusion

We had an overview of how the password can be encrypted using Maven and its usage in settings.xml file.

Starting with Maven 3.2.1, the password is an optional argument. If you omit the password, you will be prompted for it which prevents all the issues mentioned above.

It is strongly recommended to use Maven 3.2.1 and above to prevent problems with escaping special characters and environment issues in relationship with the password.