My answer is based on reading the Maven source code and doing a little research.
- Does the encrypted master password provide security simply by existing in
settings-security.xmlin a folder that only one user can
access (~/.m2)? If so, why bother with encrypting a ‘master
password’ (why not just use some random value)? Isn’t the ‘master
password’ really just an entropy input to the cryptographic function?
Calling it a password is confusing – I expected Maven to prompt me for
this password before de-crypting any encrypted server passwords, but
it did not.
The master password is an input into the cryptographic function for encrypting/decrypting the server passwords. If someone has your individual encrypted server passwords, they won’t be able to decrypt them unless they also have your master password. This means you can freely share your maven settings.xml file with others, without them being able to decrypt your server passwords. This is also why the master password is kept in a separate file.
This rationale is somewhat explained in encryption guide
- Do the master password and server passwords use the same encryption process/cipher? The server passwords are based on the master password,
so there must be some difference in the algorithm. Where is the source
code for this located?
From what I can tell, the master password is encrypted using the same cipher as the server passwords. When decrypting the server passwords, the master password (unencrypted form) is an input; when decrypting the master password, the magic string ‘”settings.security”‘ is used as the additional input.
You can see the source code PBECipher and MavenCli.java.
- I have observed that the same master password or server password encrypted multiple times gives different hashes. According to Marcelo
Morales’ answer on How does maven –encrypt-master-password
work, this is because ‘a
JVM-configuration-specific (usually SHA1PRNG) 64-bit random salt’ is
added to the password prior to encrypting. Maven decrypts stored
passwords when they are used at compile time. Doesn’t this mean the
salts have to be stored somewhere?
A traditional approach to handling salts is that the random salt is stored with the encrypted text, alongside it. See the Wikipedia article.
Based on the source code linked above, the salt appears to be stored as the first 8 bytes of the Base64 decoded bytes, right before the encrypted password.
- I have also observed that a regular password encrypted using one encrypted master password will still work if the master password is
re-encrypted and stored in thesettings-security.xmlfile, even
though the encrypted master password ciphertext is now different.
Can someone explain how this works?
This is because the decrypted form of the master password is used, not the encrypted “ciphertext”. Thus re-encrypting it doesn’t affect the server password encryption/decryption.
I don’t know the answer to your last two (5 and 6) questions.