Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

mvn --encrypt-master-password <password> : Good practice for choosing <password>? Which level of privacy should it be?

I am learning to use maven password encryption capabilities and I would like to know how to choose the parameter <password>. There are two things that I don't understand:

1) mvn --encrypt-master-password foobar will always give a different encrypted master password.

Since the encrypted master password is always different, I see only two possibilities:

  1. A local property is stored somewhere so that it can be used to decrypt the encrypted master password to get the master password. That means that our encrypted server passwords can only be used locally.
  2. Nothing is stored and the master password is useless and doesn't matter at all.

So, my questions here are:

What is stored locally? Will my master password remain safe? Is there a third possibility I didn't think of?

2) On the maven website, it is written:

Also note that the encrypted passwords can be decrypted by someone that has the master password and settings security file. Keep this file secure (or stored separately) if you expect the possibility that the settings.xml file may be retrieved.

If the settings security file is the thing to protect, why should I bother choosing a strong master password? Can't I just use foobar and keep my settings security file safe?

Also, it looks like someone with the two files (settings security file and settings file) would not need the master password to connect to the maven servers. He could use our identity without knowing the passwords. The master password is "only" needed to decrypt the servers passwords (to get them plain text). But then again, protecting the settings security file should be the way to go and the master password would remain useless.

My questions:

How important is the master password? Have I got to remember it? Can I use a long random phrase and forget it forever?

PS: I couldn't find my answer here.

like image 784
ncenerar Avatar asked May 07 '13 14:05

ncenerar


People also ask

What is Maven master password used for?

When you run a Maven build that needs to interact with the repository manager, Maven will retrieve the Master password from the ~/. m2/settings-security. xml file and use this master password to decrypt the password stored in your ~/. m2/settings.

What encryption is used for passwords?

Passwords are encrypted by the AES128 algorithm before they are stored in the directory and are retrieved as part of an entry in the original clear format. Passwords are encrypted by the AES192 algorithm before they are stored in the directory and are retrieved as part of an entry in the original clear format.

Where does Maven Store credentials?

If you have authentication to Maven repos in your organization, you normally store the username and password in the Maven settings file located by default at ~/. m2/settings. xml .

Why is encryption of password important?

Encryption scrambles your password so it's unreadable and/or unusable by hackers. That simple step protects your password while it's sitting in a server, and it offers more protection as your password zooms across the internet.


1 Answers

First password is used to generated the master password only, then you can forget it. It is generated using encryption mechanisms and pseudo-random component. As a consequence of that, it should not be possible to decipher it. There is nothing else stored locally than your master password in your security-settings file and it won't be ever prompted or asked again.

This master password is used to cipher and decipher passwords in your settings file. It has the same value as an user-introduced password, but it is almost impossible to deduce it.

Then:

  1. There is nothing else stored locally than your master password in your security-settings file and it won't be ever prompted or asked again. All the safety resides in the safety of the security-settings file.

  2. The master password is not really important and you can forget immediately. You can use whatever you want.

I don't like this approach to protect my password and I would like having a real password cyphering mechanism with a real master password not stored. Public-private key with password strategies seems to be better.

like image 97
logoff Avatar answered Oct 13 '22 22:10

logoff