Maven: How to encrypt passwords
A common practice but a little old-fashioned is to create profiles for the configuration of different environments in a maven application. And as it is normal within this configuration that passwords can travel inside it. Today we will show how to encrypt passwords in Maven and a couple of tips to handle them correctly.
To begin with, we must generate a master key. This we will create it through the following command:
mvn --encrypt-master-passwordWhen entering the command, it will ask us to enter our master password. And it will return it to us codified.
{Q0eIoh2W24Hovj4oE0pXgObO3zHOXn/gvQC1gMFoI=}This master key, with the following format, must be included in the file ~/.m2/settings-security.xml.
<settingsSecurity>
<master>{Q0eIoh2W24Hovj4oE0pXgObO3zHOXn/gvQC1gMFoI=}</master>
</settingsSecurity>Now we can encrypt passwords using the — encrypt-password or -ep option in a maven command. In this example, we are going to encrypt the root word:
$ mvn -ep root
{d/vIFp4AAAH2yHgBmc4A5NHaUdhOQWon9htDpHZBY=}But here comes a small but. These generated passwords can only be included in the settings.xml file (also located in the .m2 folder). Why in the settings.xml and not directly in the pom.xml? Because it is a best practice, and the server section of the settings.xml was created for that very purpose. To manage sensitive information about servers, which should not be browsing freely. Therefore our configuration would look like this:
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
<localRepository />
<interactiveMode />
<offline />
<pluginGroups />
<servers>
<server>
<id>mysql-local</id>
<username>root</username>
<password>{d/vIFp4AAAH2yHgBmc4A5NHaUdhOQWon9htDpHZBY=}</password>
</server>
</servers>
<mirrors />
<proxies />
<profiles />
<activeProfiles />
</settings>And with this, we would already have our passwords relative to the servers encrypted and ready to use with Maven. But how do I use it inside pom.xml? This seems a half-truth…
Good question. we can do it in two ways:
- If we are going to use a plugin, we can change the username/password configuration for server configuration. As long as that plugin allows it, for example, tomcat7-maven-plugin allows it.
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
<configuration>
<url>http:// localhost:8080/manager</url>
<server>TomcatServerConfiguredInSettingsXml</server>
</configuration>
</plugin>- Acceder a sus datos a través de servers-maven-extension
<build>
<extensions>
<extension>
<groupId>com.github.shyiko.servers-maven-extension</groupId>
<artifactId>servers-maven-extension</artifactId>
<version>1.3.1</version>
</extension>
</extensions>
</build>
<profiles>
<profile>
<id>local</id>
<properties>
<mysql.userName>${settings.servers.mysql-local.username}</mysql.userName>
<mysql.password>${settings.servers.mysql-local.password}</mysql.password>
</properties>
</profile>
</profiles>But remember two last things. First, you can use this encryption for remote repository servers. For example, if you use the Oracle Server or the repository of your company. In this case, you only need to configure it on the settings.xml file, as we did in the first snippet from the file.
And second, the idea of the use of Maven profiles maybe isn’t the correct one. In older posts, we have talked a lot about 12factor. And the best practices of create environment files that contain the info that changes between them. Think about it, if you want to encrypt passwords in the pom.xml file.
