Skip to content
This repository has been archived by the owner on Mar 1, 2023. It is now read-only.
/ velma Public archive

Master-Password protected password safe for Maven.

velma.echocat.org

License

MPL-2.0 license
2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

echocat/velma

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits

.idea

.idea

 
 

src/main

src/main

 
 

.gitignore

.gitignore

 
 

LICENSE.txt

LICENSE.txt

 
 

README.textile

README.textile

 
 

org.echocat.velma.iml

org.echocat.velma.iml

 
 

pom.xml

pom.xml

 
 

Repository files navigation

echocat Velma

…is a Master-Password protected password safe for your maven passwords. These passwords are normally stored in ~/.m2/settings.xml and could be protected by a master password in ~/.m2/settings-security.xml. But this way is still dangerous because every person with access to your computer has access to your Master-Password.

Velma solve this problem because it replaces the stored password on disk with a redirection to itself. In every moment if someone tries to access your passwords in ~/.m2/settings.xml Velma will recieve a request and will prompt you for the input of your Master-Password in a dedicated dialog.

Install

Download

See: Release page

Hint

General

The installers (msi, deb and rpm) will install register Velma in autostart of you window manager to ensure that Velma always run if you use Maven.

Windows

On 64bit Windows-Systems the x64 executable of Velma is installed. This requires that the default Java is also x64.

Requirements

Java 1.7 or newer: Get the latest version.

Usage

First run

If the Velma starts the first time, it will request the enter of your master password. You can choose whatever you want, but remember: This is the password which will protect all your other passwords. Hint: Choose a password which is a passphrase; with a minimum length of 12 characters.

Encrypt a password

Store password without encryption

Normally you have a .m2/settings.xml like this:

<settings xmlns="http://maven.apache.org/POM/4.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
   ...
   <servers>
      <server>
         <id>myServer</id>
         <username>myUsername</username>
         <password>myPassword</password>
      </server>
   </servers>
   ...
</settings>

Standard encryption method

It is possible to encrypt the passwords by using a master password in ~/.m2/settings-security.xml. In this case your ~/.m2/settings.xml could be:

<settings xmlns="http://maven.apache.org/POM/4.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
   ...
   <servers>
      <server>
         <id>myServer</id>
         <username>myUsername</username>
         <password>{COQLCE6DU6GtcS5P=}</password>
      </server>
   </servers>
   ...
</settings>

And your settings-security.xml:

<settingsSecurity>
   <master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
</settingsSecurity>

This is the default maven encryption pattern.

Velma encryption

  1. Right-Click on the Velma-SystrayIcon and choose Encrypt password.
  2. Enter your master password.
  3. In the following dialog (Encrypt password) enter the plain password for the target server twice.
  4. Hit Copy to clipboard and close. The encrypted password is now stored in your system clipboard.
  5. Now open your ~/.m2/settings.xml and put your encrypted password in <password>...</password> tag for the target server.

You are not required to modify ~/.m2/settings-security.xml. This is automatically done by Velma.

The result ~/.m2/settings.xml are like the as the Standard encryption method but your .m2/settings-security.xml is different and does not contain your master password.

FAQ

What to do if I want to choose my master password?

  1. Right-Click on the Velma-SystrayIcon and choose Change master password.
  2. Enter your current master password.
  3. Enter your new master password twice.
  4. Now you are required to reencrypt all your passwords with the Encrypt password util.
    Sorry but we planned to change this passwords automatically in the future if you change your master password. But currently you are required you do this manually for all servers.

I lost my master password

This is bad! All your encrypted passwords are lost.

But you could delete ~/.velma/conf/velma.properties, choose a new master password and reencrypt all your passwords.

Secrets

Configuration

Velma store all its information in ~/.velma/conf/velma.properites.

It is a good choice to backup always ~/.m2/settings.xml with ~/.velma/*.

How maven get the master password?

Velma created at every start a new ~/.m2/settings-security.xml with a content like this:

<settingsSecurity>
  <relocation>http://localhost:56276/3ee63610-adf1-4169-a029-5f96c575800f/settings-security.xml</relocation>
</settingsSecurity>

Velma now starts a little webserver that listen to localhost:<port> and only answer questions to the specified URL. If another URL is requested or the user hit in the Master-Password request dialog the button Fake response the result is also a valid master password – but an invalid one.

License

echocat Velma is licensed under MPL 2.0.

About

Master-Password protected password safe for Maven.

velma.echocat.org

Topics

maven password-manager password echocat velma password-safe

Resources

Readme

License

MPL-2.0 license
Activity
Custom properties

Stars

2 stars

Watchers

6 watching

Forks

1 fork
Report repository

Releases 3

version-1.2.1 Latest
Feb 12, 2016
+ 2 releases

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages