How does Maven 3 password encryption work?

Question

I\'m trying to understand Maven 3\'s[password encryption feature. I have found that this feature is poorly documented and confusing. For example, the feature documentation and a

Answer 1

I need to know this for bnd(tools) so I can share some deeper analysis.

The 'encrypted' passwords have a syntax of:

output    ::= '{' base64(packet) '}'
packet    ::= salt[8] padlen[1] encrypted[?] padding[padlen]
salt      ::= 
padlen    ::= 
padding   ::= 

The cipher used is AES/CBC/PKCS5Padding. The secret key and initialisation vector is calculated as follows:

sha = sha256( X + salt[8] )
key = sha[0..16]
iv  = sha[16..32]

For the master password X is "security.settings". Since this is a well known constant the master password is not encrypted but only obscured. For the server passwords X is the decoded master password.

Why the resulting packet is padded seems a waste of bytes since the packet format makes it trivial to strip and they are never part of the encryption/decryption. They just add a few random characters to the base64 string.

The only way this is useful is using the relocation facility. For example, if you mount the settings-security.xml on a private mount on the build server. You can then you can freely share the settings.xml file in public repos. However, this is also a sucky solution since you need to mount it the same mount point for all your users and CI build servers.

Be aware that any plugin can decode all your server passwords so never use real passwords for the servers. Nexus can create proxy passwords.