How does mvn --encrypt-master-password work?

Question

I would like to know the algorithm or technique used by this command (mvn --encrypt-master-password ). Each time I run it produces a different output. I\'m assuming that it

Answer 1

The encryption mechanism is not in the maven codebase per se. It is located on a library called plexus-cipher. It is always on the maven distribution. Mine is on lib/plexus-cipher-1.7.jar being 3.0.5 the maven version.

The actual cipher is AES/CBC/PKCS5Padding. The key for the cipher and IV for the block chaining are derived iterating SHA-256-ing over the provided password (encoded as UTF-8) concatenated with a JVM-configuration-specific (usually SHA1PRNG) 64-bit random salt once or twice.

No big surprises here. It seems to be on the same format every other soul is using nowadays.

The gory details can be found reading the source on the GitHub project page