diff --git a/.travis.yml b/.travis.yml
index ede527c59..3f3c0d2ab 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,12 @@
 language: scala
+
+# Don't commit sensitive files, commit the encrypted version: admin/encrypt.sh $SENSITIVE # keep it secret, add $SENSITIVE.enc to the repo
+# On travis: admin/decrypt.sh $SENSITIVE
+env:
+  - secure: "whJQqI/7G+kUJoCCGQYbv3Y/T2Cx3EcBKfCyvMkZaVgo0wFEOUguh8I+4QqRyf9cC/uPmzwCzV9uwXsNDMcY78jouY05A+fCEnUol/9TuF5PWmXF6Yr/UmmYoCQe4pioXsbXa4uOy18kLzE0h2sOIrJ5A9NL8/58iVgl4E3pwvk="
 script:
-  - sbt ++$TRAVIS_SCALA_VERSION clean update compile test
+  - admin/publishPrep.sh
+  - sbt ++$TRAVIS_SCALA_VERSION $publishVersion clean update compile test $extraTarget
 scala:
   - 2.11.4
 jdk:
diff --git a/admin/decrypt.sh b/admin/decrypt.sh
new file mode 100755
index 000000000..3c3c602f0
--- /dev/null
+++ b/admin/decrypt.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+openssl aes-256-cbc -pass "pass:$SECRET" -in $1.enc -out $1 -d -a
\ No newline at end of file
diff --git a/admin/encrypt.sh b/admin/encrypt.sh
new file mode 100755
index 000000000..4bf6c9329
--- /dev/null
+++ b/admin/encrypt.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+openssl aes-256-cbc -pass "pass:$SECRET" -in $1 -out $1.enc -a
\ No newline at end of file
diff --git a/admin/encryptAll.sh b/admin/encryptAll.sh
new file mode 100755
index 000000000..510bfe3d5
--- /dev/null
+++ b/admin/encryptAll.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Based on https://gist.github.com/kzap/5819745:
+
+echo "This will encrypt the cleartext sensitive.sbt and admin/secring.asc, while making the encrypted versions available for decryption on Travis."
+echo "Update your .travis.yml as directed, and delete the cleartext versions."
+echo "Press enter to continue."
+read
+
+# 1. create a secret, put it in an environment variable while encrypting files -- UNSET IT AFTER
+export SECRET=$(cat /dev/urandom | head -c 10000 | openssl sha1)
+
+# 2. add the "secure: ..." line under the env section -- generate it with ``  (install the travis gem first)
+travis encrypt SECRET=$SECRET
+
+admin/encrypt.sh admin/secring.asc
+admin/encrypt.sh sensitive.sbt
+
+# rm sensitive.sbt admin/secring.asc
\ No newline at end of file
diff --git a/admin/gpg.sbt b/admin/gpg.sbt
new file mode 100644
index 000000000..6ec4213ea
--- /dev/null
+++ b/admin/gpg.sbt
@@ -0,0 +1,21 @@
+// only added when publishing:
+addSbtPlugin("com.typesafe.sbt" % "sbt-pgp" % "0.8.3")
+
+/* There's a companion sensitive.sbt, which was created like this:
+
+1. in an sbt shell when sbt-gpg is loaded, create pgp key in admin/:
+
+ set pgpReadOnly := false
+ pgp-cmd gen-key // use $passPhrase
+ pgp-cmd send-key <keyIdUsingTabCompletion> hkp://keyserver.ubuntu.com
+
+2. create sensitive.sbt with contents:
+
+pgpPassphrase := Some($passPhrase.toArray)
+
+pgpPublicRing := file("admin/pubring.asc")
+
+pgpSecretRing := file("admin/secring.asc")
+
+credentials   += Credentials("Sonatype Nexus Repository Manager", "oss.sonatype.org", $sonaUser, $sonaPass)
+*/
diff --git a/admin/publishPrep.sh b/admin/publishPrep.sh
new file mode 100755
index 000000000..1914c60b7
--- /dev/null
+++ b/admin/publishPrep.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# prep environment for publish to sonatype staging if the HEAD commit is tagged
+
+headTag=$(git describe --exact-match ||:)
+
+if [[ "$headTag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9-]+)? ]]; then
+  echo "HEAD is tagged as $headTag."
+  export publishVersion="set every version := \"$(echo $headTag | sed -e s/^v//)\""
+  export extraTarget="publish-signed"
+  cat admin/gpg.sbt >> project/plugins.sbt
+  admin/decrypt.sh sensitive.sbt
+  (cd admin/ && ./decrypt.sh secring.asc)
+fi
diff --git a/admin/pubring.asc b/admin/pubring.asc
new file mode 100644
index 000000000..61de5ecf0
--- /dev/null
+++ b/admin/pubring.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: BCPG v1.49
+
+mQENBFR/wRIBCACgRrOC5zAzSuuhf35NVzAG3K6xADFcxSKtxyIKydvlzhgdTuH8
+MvqLaQvo0gOQ/32DEnBy0DbDu8WEDvpZzEM21eTz/VW9VDb0fbNEXoLODY+IYt+v
+ohsw0NzQV6qSk2WQVYWVuZbfZXZBT3/JoDxHKRRl/IvZb8CQkRypxKVmsud/IOsu
+t/hHRWzbgPtNJNUX0Uhrz96P0+LcKfwUt34TMBIyfSY9C3ZPzPYTlhuDqtJunKTj
+NZljt9cbAMjJsuw0rSYNkAb5kGblguUn7BLp5Ngox6h7/MP7v1YM7WsXa3oMcHyX
+0Rf3PPE8HELcfsbF+FAN3jCNWgaz15bCz3lhABEBAAG0LHNjYWxhLXhtbCA8c2Nh
+bGEtaW50ZXJuYWxzQGdvb2dsZWdyb3Vwcy5jb20+iQEcBBMBAgAGBQJUf8ESAAoJ
+EIbbEE4RFVfeHWgH/1B5U+UT/lx8Z/V3qK3EfsVVM5nbcJqy+jRC9mNsO4VSX7+G
+rNuIn6oZ08SZKcmzWo71i9uqatgaFtVHhLbOJ9a72Ja8YoBSKerv6gpcFcAH4fDB
+m5FyoxbM0K9vLwUvkbewNLLK8XbWwuCuHTmtEW2WPv2d/PmyOXuXoos/E1HiPTkU
+iN5TIuJYpDvy7cxQL0qlaEcpWjzXHyy6+BFA1C8zlwoX+2iAx1rVGd3mPDHNgY+U
+Z3MYArHxu5QC3BZs2wsD9/SkioanFhzH4g/MB1qaQlD2WGqXwoDK2/Bsnu5pJaPA
+QhCuqobGMQ8Umupnejt8fIIQ/8A99sneBU+eEB8=
+=450t
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/admin/secring.asc.enc b/admin/secring.asc.enc
new file mode 100644
index 000000000..25ed5cc2d
--- /dev/null
+++ b/admin/secring.asc.enc
@@ -0,0 +1,40 @@
+U2FsdGVkX1/9hpS9pNHRzznj4yQKe9noi3duTRAp0JhO2nHrJwtDWdRcEBZXeWto
+7wbM7Ji+R4gqdNd3bb2UO8+NTcOtBE0/toioD/MV2fTTffzVVYwBvmknfknIcOdZ
+9pyfMvpwcdrZ+KSSGkg0xowac2bjVaO7i54DECxA2mMs5sqev/SiatnmsD6i5I5h
+Wif7bdaTqBOHIxJ70776iUc0Z+2auOc73by1MUPhR2ceh93KmavM6rkHk2JrzNj/
+wCwbgXLoC1NjQfgWM1tWIa1v7l1ZsvrU0ozz7ls3IR79EKGYvB0us+Qz0YUiv+Sn
+f237bzy/7PRB5bQTIHe9VWOMNGKgML4vw4VAZ59EMkiBDOCzWRCpfa4xdZJvYkrw
+K95/Lx4GhHI/i6/E6TGgzaJSwY5+24gmffLQBM4vyGTwJUOMjDkWaQLvhjbvTuYX
+y7xX0/mbhLAQ5qPyOESfC2gx6ZSvaXNctGNuEa+BcV74+17XxLrA/BVd9qiVEZhs
+peRFScKhz/mfVS6CBJ11arUtB0348em5ACIy/OEnXCSRP56TA0m1+OnZV9zUNJLX
+7W9AenWvxTrsgH1SyyUz0vpP9ujfHusWRpMPNy7Ovlp4WP1ntAYnqmPVUZUGBEIy
+0nWyTPAXNaPm4TsOCFWl3Ho0DYSyejJ2/nTTmpBXnDxIirba+MMPcu03tJydmBSC
+TID4qSR7DCJoYbosj1/88WxQmyC8JwFNnXPAN+VoPd4LtnC+K8urtMEg5wSY7p9G
+mQmqLKU2BhTkTn+d5l+7gzL1ILXWSuKEWUj5v813teZ784bMoYLM/q1vsHsjb2vk
+tFIxos6tk/xIfFkeFB59gLqavrPZJWTNNW3QIAQPdkYu7GB8y/3de6ujYKiaRlqH
+yuC87T5INBWSj+RBpyBLU50gMIIlEnJ56UYN2Lheaom/96ciqydalKJalQzhzpvR
+dy5JYXiWn4v5b1Rkyiv0XGVG0OaB//qgsicRBLOFfPQNQ/WaFHaa/QDMpMJrutAw
+QMztk5DlEbCOAzRYKjU7v3kCA3VVgXsgUr0dKy+bIUwFJ7jj9GN6PgHQiLIv9bNE
+s4vEDp/2XJ7dWwBZo5bnUmgdA8NSuu5JNGD0Xm7de3+1ZBd75N4XrLgTAk4Y4k/O
+VYDPeVyAUM2vfbu1sSXcT5hnTDjCuo9gZwPqCnwrDBqe3HjKRgQkf6ErlmcSOAXJ
+CU2mjwfbzLvx796o/XCClCAqZPBZJ0KgtWv7TCB4K96G3KBt4h6BmgjhFJIyOIjp
+MCBPHI1Nx+Kj+Pf81ItAh08OE1tJT53dGK37dSCCEkjoAAmKQFARvH8RKxGvq/j6
+o7YoQnzIb/fPGrLx8fzYL3t4YeuEdfTiudt1HHneffidQ6PTHlILeEzQ0c+51TJV
+D9AT8raAvJjZlwNIyXr4MwVSiIHKW0IIkTrR4IIYshhj9DOfa6MzhrJWfiWRZjXc
+4oKMv2mPzzfORi/Ct8JWfU2OKYy5jNsnZM5B/jo+z6MaXx8qZi5r+Lod2F1cQCnp
+GoXIni5Ad2E2uhqycCgQ7kb69z7QeuJzpAkQwcHBFBDfNrHW+HfqzD2qQH8hapKI
+k2y80EUnCwYjeP7NIY03+iJt02YUR52bVk8WX0AIoZoISwKfG9RA3F7Dsn7SgX3U
+aADuVVgE8REAUgJMX9+Y/u5/s3RIjXCwyAf0U9wpT/FhWMEegrwXt86kgxoW4TBf
++2yJSFfgiaTxN4Hx7Xt3/4usyx+hr9K3I1Y0q1M6NGvHfP4w9nb66h/bv1AhgM1J
+Tws+TDLS0POG4ZqbzMz6B3cr2NF45tD4zt8ZCoEnyjJKPfMqzsmSauvBHcsQTL7E
+GB7Bw9e+UkGBSHCe2ByvYDoBnppS/8Ct4eWEq8FfMQbnrUv+FfIDzhvgsN2LS/iY
+VW3mFcsOJKNT81Y2GIUlitU8P8ugF4GjCGHEb1ZHIjxiIb4V+8q5F6KoKMmpguAK
+qYSQvlz/uqwRhYrziygIZHPFAhEFaQraRg9fXyH1nWQ2pPqbVnlwFU/7J7FebnpF
+huE2rWuEdsNzPWuK/weTjYwEHs/jppirtfQtDtHts9tS8oAIGImVZRXrxvivRdpN
+TTrHrgRUaoRnR56OYfTF1eSsjc7CH6nIEtGXIa7RC5WT4cAEH9WwIlis9zXEp///
+xduZMomtAdlhhqwHkpwW0UWETvK6HzyrW2VlDEYvP21WaIsZBnrmeqKFW/pNub9l
+33f36uc3/t5vYP5QBsdZiTf2OGK3VZKzxjQL/whxlt9qAxOoHttyb4ZqtxNV/TNv
+/EzmlwGSM3iSLuZD0Eckzyw5/3rqDSLqfqZlJDgIBCjCTPInVyMA70MVyryYdbe7
+ADDPRnRkvcny2ncQzlkYCgGJdOABmaaE4ILwh/BknxEC7RBU/4NhflEehSwAjh10
+NensOrg5RBBScZDTKhKZkPM4ixPXCk6enSmXFQKyH2r+lq8vMae1DOM6AeGMrnfE
+u+aaGqFA/nDJrK3xwOOyEA==
diff --git a/project/build.properties b/project/build.properties
index 37b489cb6..748703f77 100644
--- a/project/build.properties
+++ b/project/build.properties
@@ -1 +1 @@
-sbt.version=0.13.1
+sbt.version=0.13.7
diff --git a/sensitive.sbt.enc b/sensitive.sbt.enc
new file mode 100644
index 000000000..d3bf15775
--- /dev/null
+++ b/sensitive.sbt.enc
@@ -0,0 +1,7 @@
+U2FsdGVkX18gIxRNVlHPw4nCe2cnzM8eT6nuAX3tlZGkm1oWilS9WHMn51Xynkfu
+u93EwxakV6ov0Nci2ZfrGQcNYQk+0r/36YfK10wV2BMRFC+xZuu90WjaGkfWrnCZ
+Act4ID/vax/k0hHPTIAP7fbYvX0G+zQtyEtGrfuLvfb++BsX/o8Eyv2KaQkz/fYd
+PG9iwXd1agN6T3xb7EMu+sKheLNj4erxFCkJqwY525ZqWzvHP9aiSsFSPA/ubUS8
+LeqEU5RvCOo1GoG7qEv/yny4KT/IB5EIeuo8x3uVm8MNMQW+XzEVJBGErMcAWwnF
+v0eVpuAeMpTv/rU2VxBkwCE9I5TY3adYD8w9rxXaERGFaNzt48toOVEtY4Eju9AH
+uuP2s4VxE/XZtdKSCXc2ZA==