How safe is maven encryption?
wolfc/plexus-cipher-test
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
This project is about a little critique I have on the mini guide for Maven password encryption. http://maven.apache.org/guides/mini/guide-encryption.html The guide under-states the security ramification of these measures. Which I think should be explicitly stated for a reader to attain the desired effect. The article should stress that the 'encrypted' master password must be stored on a removable drive to attain a secure environment. Why do I put encrypted within quotes? Because fact of the matter is that the master password is not encrypted, but simply encoded. @Test public void test1() throws Exception { String master = "{WR51wo2sI1QHlQM0MhI7AULqJXRZvtoppQsqdg74p08=}"; DefaultPlexusCipher cipher = new DefaultPlexusCipher(); String result = cipher.decryptDecorated(master, "settings.security"); assertEquals("Doh!", result); } This means that putting the master password in .m2/settings-security.xml would make your server password perfectly readable again. @Test public void test2() throws Exception { String master = "Doh!"; String pwd = "{fB3b7bF6RKUHOTcOH790i8jm4C4fIBM4BZ5UvXSTODk=}"; DefaultPlexusCipher cipher = new DefaultPlexusCipher(); String result = cipher.decryptDecorated(pwd, master); assertEquals("Eeek!", result); } So without introducing an external factor (like an USB key) the mechanism is just as secure as your plain password in .m2/settings.xml. To try this out on your own passwords, simply clone git://github.com/wolfc/plexus-cipher-test.git, mvn assembly:assembly and do: $ java -jar target/jboss-plexus-cipher-test-full.jar {WR51wo2sI1QHlQM0MhI7AULqJXRZvtoppQsqdg74p08=} $ java -jar target/jboss-plexus-cipher-test-full.jar {fB3b7bF6RKUHOTcOH790i8jm4C4fIBM4BZ5UvXSTODk=} Doh\!
About
How safe is maven encryption?
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published