Maven 2.1.0+ now supports server password encryption. The main use case, addressed by this solution is:
The implemented solution adds the following capabilities:
Use the following command line:
mvn --encrypt-master-password <password>
This command will produce an encrypted version of the password, something like
{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}
Store this password in the ~/.m2/settings-security.xml; it should look like
<settingsSecurity>
<master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
</settingsSecurity>
When this is done, you can start encrypting existing server passwords.
You will have to use the following command line:
mvn --encrypt-password <password>
This command will produce an encrypted version of it, something like
{COQLCE6DU6GtcS5P=}
Cut-n-paste it into your settings.xml file in the server section. This will look like:
<settings>
...
<servers>
...
<server>
<id>my.server</id>
<username>foo</username>
<password>{COQLCE6DU6GtcS5P=}</password>
</server>
...
</servers>
...
</settings>
Please note that password can contain any information outside of the curly brackets, so that the following will still work:
<settings>
...
<servers>
...
<server>
<id>my.server</id>
<username>foo</username>
<password>Oleg reset this password on 2009-03-11, expires on 2009-04-11 {COQLCE6DU6GtcS5P=}</password>
</server>
...
</servers>
...
</settings>
Then you can use, say, deploy plugin, to write to this server:
mvn deploy:deploy-file -Durl=https://maven.corp.com/repo \
-DrepositoryId=my.server \
-Dfile=your-artifact-1.0.jar \
Create the master password exactly as described above, and store it on a removable drive, for instance on OSX, my USB drive mounts as /Volumes/mySecureUsb, so I store
<settingsSecurity>
<master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
</settingsSecurity>
in the file /Volumes/mySecureUsb/secure/settings-security.xml
And then I create ~/.m2/settings-security.xml with the following content:
<settingsSecurity> <relocation>/Volumes/mySecureUsb/secure/settings-security.xml</relocation> </settingsSecurity>
This assures that encryption will only work when the usb drive is mounted by OS. This addresses a use case where only certain people are authorized to deploy and are issued these devices.
At times, you might find that your password (or the encrypted form of it) may actually contain '{' or '}' as a literal value. If you added such a password as-is to your settings.xml file, you would find that Maven does strange things with it. Specifically, Maven will treat all the characters preceding the '{' literal, and all the characters after the '}' literal, as comments. Obviously, this is not the behavior you want in such a situation. What you really need is a way of escaping the curly-brace literals in your password.
Starting in Maven 2.2.0, you can do just this, with the widely used '\' escape character. If your password looks like this:
jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+{EF1iFQyJQ=
Then, the value you would add to your settings.xml would look like this:
{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+\{EF1iFQyJQ=}