You might want to look into secrets management tools such as Vault from HashiCorp and KeyWhiz from Square.
-----Original Message----- From: Alix Lourme [mailto:alix.lou...@gmail.com] Sent: Friday, March 17, 2017 8:39 AM To: Maven Users List <users@maven.apache.org> Subject: [EXTERNAL] Maven password encryption by project External Sender: Use caution with links/attachments. Dear community, I'm searching the best practice for password encryption in a maven POM file *by project*, could by used by properties (like in ANT or WAGON). Sample : --- <plugin> <artifactId>maven-antrun-plugin</artifactId> <version>1.8</version> <configuration> <target> <echo message="Get docker certificates" /> <mkdir dir="cert" /> <scp file="root:$https://urldefense.proofpoint.com/v2/url?u=http-3A__-257Bdocker.pa&d=DwIBaQ&c=PskvixtEUDK7wuWU-tIg6oKuGYBRbrMXk2FZvF0UfTo&r=dLxYM3PBhAqFnkH7uKz_OVZL1uyui4QoEmBCjCmEiTk&m=VrtzR6_x6JB1w8nnS08BGhRk_R1CJcVu8q5OmN6WM6c&s=NvWeAVdU_1jCUfassq_nuT8MNeX1wbaM8rZzff6JlYE&e= ssword}@10.xx.xx.xx:/root/.docker/*" todir="cert" trust="yes" /> </target> </configuration> </plugin> --- In this case, my *docker.password* could be a properties (pom or settings.xml) but must not be in clear text. The problem with Maven encryption <https://urldefense.proofpoint.com/v2/url?u=https-3A__maven.apache.org_guides_mini_guide-2Dencryption.html&d=DwIBaQ&c=PskvixtEUDK7wuWU-tIg6oKuGYBRbrMXk2FZvF0UfTo&r=dLxYM3PBhAqFnkH7uKz_OVZL1uyui4QoEmBCjCmEiTk&m=VrtzR6_x6JB1w8nnS08BGhRk_R1CJcVu8q5OmN6WM6c&s=hs8pH3qs-Xc17H5E1L9HqZhSffDSbEch4E0kcZj5zXg&e= >: - I have a master password defined in *settings-security.xml* (locally) for my user need (like proxy password encryption in MY *settings.xml*) - The CI tools contains the same mechanism (own *settings-security.xml*) for global needs, like server encryption used in *settings.xml* for jar publication in repository ; and I can't retrieve this file => I can't use this mechanism for password encryption who works locally and on the CI server. *Is there a way to have a encryption mechanism for the project's perimeter ?* (and not for user's perimeter, current Maven encryption works perfectly for that). --- Using -s and -gs Maven options (=> user/global settings override) could be a workaround but : - Server item definition or properties defining password must be in clear text - Using this Maven settings for each build depending the project workspace is a little boring Perhaps is there a best way like a "private key by project" ... but I didn't found entry point about that. Thanks in advance. Best regards *NB*: This question was firstly on stackoverflow <https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_questions_33784790_maven-2Dpassword-2Dencryption-2Dby-2Dproject&d=DwIBaQ&c=PskvixtEUDK7wuWU-tIg6oKuGYBRbrMXk2FZvF0UfTo&r=dLxYM3PBhAqFnkH7uKz_OVZL1uyui4QoEmBCjCmEiTk&m=VrtzR6_x6JB1w8nnS08BGhRk_R1CJcVu8q5OmN6WM6c&s=_ERTqC8WPIer74Pk3H5pGPoWp6sivYUTd_kGuSHDBEU&e= >, but no really interest ^^. -- Alix Lourme ---------------------------------------------------------------------- This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org