I am learning to use maven password encryption capabilities and I would like to know how to choose the parameter <password>
. There are two things that I don't understand:
mvn --encrypt-master-password foobar
will always give a different encrypted master password
.Since the encrypted master password
is always different, I see only two possibilities:
encrypted master password
to get the master password
. That means that our encrypted server passwords
can only be used locally.master password
is useless and doesn't matter at all.So, my questions here are:
What is stored locally? Will my
master password
remain safe? Is there a third possibility I didn't think of?
Also note that the encrypted passwords can be decrypted by someone that has the master password and settings security file. Keep this file secure (or stored separately) if you expect the possibility that the settings.xml file may be retrieved.
If the settings security file
is the thing to protect, why should I bother choosing a strong master password? Can't I just use foobar and keep my settings security file
safe?
Also, it looks like someone with the two files (settings security file
and settings file
) would not need the master password
to connect to the maven servers. He could use our identity without knowing the passwords. The master password
is "only" needed to decrypt the servers passwords
(to get them plain text). But then again, protecting the settings security file
should be the way to go and the master password
would remain useless.
My questions:
How important is the
master password
? Have I got to remember it? Can I use a long random phrase and forget it forever?
PS: I couldn't find my answer here.
When you run a Maven build that needs to interact with the repository manager, Maven will retrieve the Master password from the ~/. m2/settings-security. xml file and use this master password to decrypt the password stored in your ~/. m2/settings.
Passwords are encrypted by the AES128 algorithm before they are stored in the directory and are retrieved as part of an entry in the original clear format. Passwords are encrypted by the AES192 algorithm before they are stored in the directory and are retrieved as part of an entry in the original clear format.
If you have authentication to Maven repos in your organization, you normally store the username and password in the Maven settings file located by default at ~/. m2/settings. xml .
Encryption scrambles your password so it's unreadable and/or unusable by hackers. That simple step protects your password while it's sitting in a server, and it offers more protection as your password zooms across the internet.
First password is used to generated the master password only, then you can forget it. It is generated using encryption mechanisms and pseudo-random component. As a consequence of that, it should not be possible to decipher it. There is nothing else stored locally than your master password in your security-settings file and it won't be ever prompted or asked again.
This master password is used to cipher and decipher passwords in your settings file. It has the same value as an user-introduced password, but it is almost impossible to deduce it.
Then:
There is nothing else stored locally than your master password in your security-settings file and it won't be ever prompted or asked again. All the safety resides in the safety of the security-settings file.
The master password is not really important and you can forget immediately. You can use whatever you want.
I don't like this approach to protect my password and I would like having a real password cyphering mechanism with a real master password not stored. Public-private key with password strategies seems to be better.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With