maven clean install without putting encryption password in properties

[iKrushYou]

I'm trying to run a maven clean install from my jenkins but i keep running into errors surrounding jasypt.encryptor.password like missing. so I added this to my .properties file jasypt.encryptor.password=dummy but now i get an error saying the passwords don't match. Obviously.. But I don't want to write the password in my .properties file

any suggestions?

[rupert-madden-abbott]

Does this work?:

mvn clean install -Djasypt.encryptor.password=dummy

[iKrushYou]

@rupert654 Hi thanks, yeah that does work, but now i'm running into the issue of having to have the decryption password stored on the Jenkins server.. I'm not necessarily worried about this being a security risk in reality, but I feel like this is probably not the best practice as far as passwords go..what do you think?

[rupert-madden-abbott]

@iKrushYou Yeah we went through this exact sequence of problems as well.

You are always going to be leaving a password somewhere. The main advantage for us of using jasypt was it allowed us to include passwords in version control securely whilst still allowing devs to run applications locally, easily.

The remote server (we use Jenkins as well) is still going to need the encryption passwords, and at several stages depending on what you are doing.

Jenkins has a variety of mechanisms to let you inject your passwords securely. If you are manually managing your build jobs, then I recommend using this plugin: https://wiki.jenkins.io/display/JENKINS/EnvInject+Plugin. This should give you an option to inject passwords into your builds and store them securely. It will also mask them so they don't appear in build logs. Here you add the password directly through the job's configuration page.

If you are using Jenkins pipelines (recommended) then you can use the CredentialsBinding plugin: https://wiki.jenkins.io/display/JENKINS/Credentials+Binding+Plugin. This will add the withCredentials DSL method and the plugin home page gives an example of how to use this to inject a username and password but you can also just inject secret text as well. Here you add the credentials to Jenkin's central credentials storage which is under "Manage Jenkins" -> "Credentials".

[ulisesbocchio]

I agree with @rupert654, @iKrushYou what I recommend though is to have your real properties somewhere else (the ones you use for DEV, STAGE, PROD, etc) , while keeping unencrypted properties for local development. That way your Unit Tests don't even need jasypt.encryptor.password When you run in the actual environment though, someone will have to set the password there...