how to secure and encrypt setting.xml paswords file in maven?

Question

How to secure server/proxy settings in settings.xml in maven?

I assume this is mostly about login and passwords stored there and I assume that those can't be placed placed there explicitly, should they be stored in env variables/etc?

how should example of a secure settings.xml look?

Answer 1

You have 2 options:

1)If you need only use in settings.xml:

Execute:

mvn --encrypt-password <password>

You will get the encrypted password like this:

{COQLCE6DU6GtcS5P=}

You can use this password in you settings.xml:

<settings>
 ...
    <servers>
    ...
        <server>
          <id>my.server</id>
          <username>foo</username>
          <password>{COQLCE6DU6GtcS5P=}</password>
        </server>
    ...
    </servers>
...
</settings>

2)If you need to use in multiple uses:

Execute:

mvn --encrypt-master-password <password>

Yo will get the encrypted password like this:

{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}

Store this password in the ${user.home}/.m2/settings-security.xml it should look like:

<settingsSecurity>
      <master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
</settingsSecurity>

Answer 2

If a settings.xml is shared (maybe it's a 'team' file, maybe it sits on a shared build/CI box) then sensitivie details within it - specifically passwords - can (should :) be encrypted.

1. Create a master password:

   mvn --encrypt-master-password <password>
   

2. Add the master password to settings-security.xml

3. Encrypt your password

   mvn --encrypt-password <password>
   

4. Add the encrypted value to your settings.xml

More details in the docs.