Encrypt Maven Credentials


We want to access our company’s institutional repository in a secure fashion


When we use a maven repository that requires authentication, such as when we are using a company’s institutional Maven repository, the user needs to specify her credentials in order to be able to access the assets stored in it. However, if we are not careful about doing so, we may let others discover our credentials, because, unless we take our precautions, they are stored in plain text. Therefore, we need to take care of this by encrypting our password before setting it in the settings.xml file

How to

First, we have to create an encrypted master password, used to encrypt our password that accesses the remote repository. To do so, we need to start by creating the encrypted master password:

read -s p; mvn --encrypt-master-password [password]; unset p

With the previous command, we will produce an encrypted version of the master password we typed. The result of the previous statement should then be added to a file named settings-security.xml, stored in our maven directory, such as $HOME/.m2/settings-security.xml, with a content similar to:


At this point, we are ready to encrypt our server’s password. To do so, we now execute the statement below:

read -s p; mvn --encrypt-password [password]; unset p

Which will produce an encrypted version of the password we specified, using our encrypted master password. Finally, we add our credentials to the appropriate section in our settings.xml file and we are ready to rock! E.g.,



This is an easy but still useful tip on how to use maven’s security features to keep us on the safe side. Do not store your credentials unencrypted because anyone accessing your computer will discover your “secret”. Click here if you want to know more



  1. To avoid keeping your password in plaintext on your .bashrc (or .zshrc if you are a better person) use the following command:

    read -s p; mvn –encrypt-master-password $p; unset p;

    Input your password (the characters you type won’t be echoed) and you’re ready to go.
    This was tested on bash and zsh.

    With this one liner, the password will be read to an environment variable, passed as an argument to mvn, and unset when not needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s