• Home
  • LLMs
  • Python
  • Docker
  • Kubernetes
  • Java
  • Maven
  • All
  • About
Maven | Encrypt Passwords in Maven settings.xml
  1. Encrypt Passwords
  2. Recover/Decrypt Passwords
  3. Enhanced Security with Relocation

  1. Encrypt Passwords
    Important: Maven's password encryption feature provides obfuscation, not true security. It protects against casual viewing but can be easily decrypted by anyone with access to your system and Maven installation.

    See the official Maven documentation for comprehensive information: https://maven.apache.org/guides/mini/guide-encryption.html

    Available Options:
    -emp,--encrypt-master-password <arg>    Encrypt master security password
    -ep,--encrypt-password <arg>            Encrypt server password
    
    To encrypt passwords in your Maven settings.xml file, you must first create a Maven master password which Maven will use to encrypt and decrypt your passwords:
    $ mvn --encrypt-master-password my-master-password
    {wJ/n72ck7SoHf+oKi74V0/aNPw8y5qr8c/biQsjpEFZzLV1YaTFC1ns1cnoBIh0w}
    Next, create the file ${user.home}/.m2/settings-security.xml and add the encrypted master password:
    $ vi ${user.home}/.m2/settings-security.xml
    <settingsSecurity>
      <master>{wJ/n72ck7SoHf+oKi74V0/aNPw8y5qr8c/biQsjpEFZzLV1YaTFC1ns1cnoBIh0w}</master>
    </settingsSecurity>
    Now you can encrypt individual passwords using:
    $ mvn --encrypt-password my-password
    {COQLCE6DU6GtcS5P=}
    Replace the clear text passwords in your settings.xml file with the encrypted versions. For example:
    <servers>
      <server>
        <id>my-server></id>
        <username>my-username</username>
        <password>{COQLCE6DU6GtcS5P=}</password>
      </server>
    </servers>
    Maven automatically detects encrypted passwords (enclosed in curly braces) and decrypts them using the master password when needed.
  2. Recover/Decrypt Passwords
    If you need to recover passwords stored in your Maven configuration files, you can use the maven-settings-decoder tool available at: https://github.com/jelmerk/maven-settings-decoder

    After downloading and extracting the tool, execute it against your settings files:
    $ ~/Downloads/settings-decoder/bin/settings-decoder -f ~/.m2/settings.xml -s ~/.m2/settings-security.xml
    Master password is : my-master-password
    -------------------------------------------------------------------------
    Credentials for server my-server are :
    Username : my-username
    Password : my-password
  3. Enhanced Security with Relocation
    You can improve security by using a relocation element in settings-security.xml that points to a separate, more secure file containing the master password:
    <settingsSecurity>
      <relocation>/secure/path/master-password.xml</relocation>
    </settingsSecurity>
    The referenced file would contain:
    <settingsSecurity>
      <master>{encrypted-master-password}</master>
    </settingsSecurity>
    Security Best Practices:
    • The password argument is optional for both mvn --encrypt-master-password and mvn --encrypt-password. Omitting it will prompt for input, which prevents special character escaping issues and keeps passwords out of your shell history.
    • Set restrictive file permissions on settings-security.xml: chmod 600 ~/.m2/settings-security.xml
    • Consider using the relocation feature to store the master password in a separate, more secure location.

    Production Considerations:
    • For CI/CD pipelines, consider using environment variables or secure credential management systems instead of file-based password storage.
    • Regularly rotate passwords and update encrypted versions.
    • Monitor access to Maven configuration files.
© 2025  mtitek