Gradle plugin to store and access encrypted credentials for use in Gradle builds.
The work on this software project is in no way associated with my employer nor with the role I'm having at my employer. Any requests for changes will be decided upon exclusively by myself based on my personal preferences. I maintain this project as much or as little as my spare time permits.
Gradle plugin that allows to store and access encrypted credentials using password-based encryption (PBE).
The credentials plugin is hosted at Bintray's JCenter.
Recent build scan: https://scans.gradle.com/s/vzlk2e4dnfzge
Find out more about build scans for Gradle and Maven at https://scans.gradle.com.
One typical use case of the 'gradle.properties' file in the Gradle user home directory is to store credentials, and to reference them from Gradle builds as project properties. This is a very convenient functionality at the cost that, by default, these properties are stored in plain text. It happens quickly that such credentials are exposed accidentally while giving a Gradle presentation or while pair-programming with a colleague.
The credentials plugin provides a parallel functionality to the 'gradle.properties' file to store and access credentials in an encrypted format through a 'gradle.encrypted.properties' files, thereby avoiding that credentials are ever stored in plain text.
The following functionality is provided by the credentials plugin:
All access and storage of credentials goes through password-based encryption. The passphrase can either be specified as a project property from the command line, or a default passphrase is used. The JDK encryption algorithm applied is AES using a key that is generated using PBKDF2WithHmacSHA1 from an 8-byte salt, an iteration count of 65536, and a key length of 128 (longer keys require local installation of the JRE Security Extension).
Access to the stored credentials from within a Gradle build happens through the
credentialsproject property. All read and write operations to the credentials container apply the decryption and encryption on the fly. The credentials container never holds any credentials in their decrypted form.
Please note that the author of this plugin is by far not a security expert. It is also not the primary goal of this plugin to provide high-security encryption, but rather to provide a convenient way to avoid having to store credentials in plain text.
Apply the
nu.studer.credentialsplugin to your Gradle project.
plugins { id 'nu.studer.credentials' version '2.1' }
Please refer to the Gradle DSL PluginDependenciesSpec to understand the behavior and limitations when using the new syntax to declare plugin dependencies.
Apply the
nu.studer.credentialsplugin to your Gradle settings file.
buildscript { repositories { gradlePluginPortal() } dependencies { classpath 'nu.studer:gradle-credentials-plugin:2.1' } }apply plugin: 'nu.studer.credentials'
You can store new credentials or update existing credentials through the
addCredentialstask. Pass along the credentials key and value through the task options
--keyand
--value. The credentials are stored in the GRADLEUSERHOME/gradle.encrypted.properties.
gradle addCredentials --key someKey --value someValue
Optionally, pass along a custom passphrase through the
credentialsPassphraseproject property. The credentials are stored in the passphrase-specific GRADLEUSERHOME/gradle.MD5HASH.encrypted.properties where the MD5HASH is calculated from the specified passphrase.
gradle addCredentials --key someKey --value someValue -PcredentialsPassphrase=mySecretPassPhrase
Optionally, pass along a custom directory location of the credentials file through the
credentialsLocationproject property.
gradle addCredentials --key someKey --value someValue -PcredentialsLocation=/some/directory
You can remove existing credentials through the
removeCredentialstask. Pass along the credentials key through the
--keyproject property. The credentials are removed from the GRADLEUSERHOME/gradle.encrypted.properties.
gradle removeCredentials --key someKey
Optionally, pass along a custom passphrase through the
credentialsPassphraseproject property. The credentials are removed from the passphrase-specific GRADLEUSERHOME/gradle.MD5HASH.encrypted.properties where the MD5HASH is calculated from the specified passphrase.
gradle removeCredentials --key someKey -PcredentialsPassphrase=mySecretPassPhrase
Optionally, pass along a custom directory location of the credentials file through the
credentialsLocationproject property.
gradle addCredentials --key someKey --value someValue -PcredentialsLocation=/some/directory
Get the desired credentials from the
credentialscontainer, available on the project instance. The credentials are decrypted as they are accessed.
String accountPassword = credentials.someAccountName
If no explicit passphrase is passed when starting the build, the
credentialscontainer is initialized with all credentials persisted in the GRADLEUSERHOME/gradle.encrypted.properties.
If a custom passphrase is passed through the
credentialsPassphraseproject property when starting the build, the
credentialscontainer is initialized with all credentials persisted in the passphrase-specific GRADLEUSERHOME/gradle.MD5HASH.encrypted.properties where the MD5HASH is calculated from the specified passphrase.
If a custom directory location is passed through the
credentialsLocationproject property when starting the build, the credentials file will be seeked in that directory.
Set the desired credentials on the
credentialscontainer, available on the project instance. The credentials are encrypted as they are assigned.
credentials.someAccountName = 'verySecret'
Credentials added ad-hoc during the build are not persisted on the file system.
The build script of the credentials plugin makes use of itself and serves as a real-world example. You can also find a self-contained example build script here.
The credentials plugin can also be applied to a Gradle settings file. You can find a self-contained example build script here.
Both feedback and contributions are very welcome.
This plugin is available under the Apache License, Version 2.0.
(c) by Etienne Studer