Last Updated: February 25, 2016
· skuro

Secure password encryption in Maven

Maven allows you to create and store encrypted passwords to use for automatic server authentication:

# Create an encrypted master password, to be stored in ~/.m2/settings-security.xml
$ mvn -emp foobar

# Create an encrypted password, to be used in ~/.m2/settings.xml
$ mvn -ep barfoo

While the above is quick and easy, the major drawback of it is that you must enter the password as part of the command. Things like your shell scroll back buffer or history might keep them in plaintext, exposing them to malicious eyes.

One way to avoid this security issue is to wrap password encryption in a small shell script which will prompt you to enter a password, and then pass it to maven, ho harmful echo or history involved. Here's an example:


## Encrypt your maven password without leaving any trace in the shell history
## Carlo Sciolla
## v1 - 20131205

MVN=`which mvn`
OUT="pass> "

read -s -p "$OUT" PASS
mvn -ep "$PASS"

The key part in the above script is the read invocation, which uses -s to disable echo and -p to set a custom prompt. The password will be temporarily stored in the PASS variable, and then used by maven.

Here's a sample run of the above script:

$ mvnep
pass> {nGevxp+6Oz8HWVfyHbqz1sGvtNEE10skAbFn6un0tPc=}