Tinus EngOps Wiki
OpsaC - Operating as PowerShell code
Links
Home PowerShell Blog PowerShell Index PowerShell SearchAdditional Websites
View my GitHub Profile View my GitHub Gists View Tinus IT Wiki View my Photo WebsiteMicrosoft Secret Management
published: August 19, 2022 author: Tinu tags: PowerShell categories: PowerShell-Basic
Table of Contents
- Table of Contents
- Secret Management
- See also
Secret Management
Use Microsoft.PowerShell.SecretManagement and do not store passwords in files!
This module provides a convenient way for a user to store and retrieve secrets. The secrets are stored in registered extension vaults. An extension vault can store secrets locally or remotely. SecretManagement coordinates access to the secrets through the registered vaults.
SecretManagement extension vaults:
- Microsoft.PowerShell.SecretStore
- SecretManagement.CyberArk (needs psPAS)
- SecretManagement.KeePass
- and more
Work with the SecretStore module as a SecretVault
Install the modules for SecretStore
Install-Module Microsoft.PowerShell.SecretManagement, Microsoft.PowerShell.SecretStore -Verbose
Register Module
Register-SecretVault -ModuleName Microsoft.PowerShell.SecretStore -Name MyOwnStore
SecretStore configuration
List the configuration:
Get-SecretStoreConfiguration
Vault Microsoft.PowerShell.SecretStore requires a password.
Enter password:
****
Scope Authentication PasswordTimeout Interaction
----- -------------- --------------- -----------
CurrentUser Password 900 Prompt
Change the password-timeout to 1 hour:
Set-SecretStoreConfiguration -Scope CurrentUser -Authentication Password -PasswordTimeout 3600 -Interaction Prompt
Get SecretVault
Get-SecretVault
Name ModuleName IsDefaultVault
---- ---------- --------------
MyOwnStore Microsoft.PowerShell.SecretStore True
Adding and retrieving secrets
$cred = Get-Credential
Set-Secret -Name $cred.UserName -SecureStringSecret $cred.Password -Metadata @{ URL = 'https://gmx.net' }
PowerShell credential request
Enter your credentials.
User: tinu@gmx.net
Password for user tinu@gmx.net: ********
Vault MyOwnStore requires a password.
Enter password:
****
Get-Secret -Name tinu@gmx.net -AsPlainText
1234@gmx
Get-Secretinfo -Name tinu*
Name Type VaultName
---- ---- ---------
tinu@gmx.net SecureString MyOwnStore
tinu@hotmail SecureString MyOwnStore
tinu@microsoft SecureString MyOwnStore
Get-Secretinfo -Name tinu* | % { @{$_.Name=Get-Secret -Name $Name -AsPlainText} }
Name Value
---- -----
tinu@gmx.net 1234@gmx
tinu@hotmail 1234@gmx
tinu@microsoft 1234@gmx
Get-SecretInfo -Name tinu@gmx.net | fl *
Name : tinu@gmx.net
Type : SecureString
VaultName : MyOwnStore
Metadata : {[URL, https://gmx.net]}
Get-SecretInfo -Name tinu@gmx.net | Select-Object -ExpandProperty Metadata
Key Value
--- -----
ExpireAfter 2022-06-24 20:00:00
Url https://gmx.net
Retrieve a secret and use it as PSCredential-Object
First, unlock the secret-store:
Unlock-SecretStore
In each scripts, put the following code to get the credentials of the given user (secret):
$SecretName = "tinu@gmx.net"
[PSCredential] $creds = New-Object System.Management.Automation.PSCredential $SecretName , (Get-Secret -Name $SecretName)
$creds
UserName Password
-------- --------
tinu@gmx.net System.Security.SecureString
Remove SecretVault
Un-registers an extension vault from SecretManagement for the current user.
Get-SecretInfo -Vault MyOwnStore
Remove-Secret -Vault MyOwnStore -Name tinu@gmx.net
Vault MyOwnStore requires a password.
Enter password:
****
Unregister SecretVault
Un-registers an extension vault from SecretManagement for the current user.
Get-SecretVault
Unregister-SecretVault MyOwnStore
[ Top ]
Work with the Keepass module as a SecretVault
Install the modules for KeePass
Install-Module Microsoft.PowerShell.SecretManagement, SecretManagement.KeePass -Verbose
Register Module
Register-SecretVault -Name "KeePassDB" -ModuleName "SecretManagement.Keepass" -VaultParameters @{
Path = "$($env:USERPROFILE)\Documents\KeePassDB.kdbx"
UseMasterPassword = $true
DefaultVault = $true
}
Get SecretVault
Get-SecretVault
Name ModuleName IsDefaultVault
---- ---------- --------------
KeePassDB SecretManagement.Keepass False
Set KeePass as DefaultVault
Sets the provided vault name as the default vault for the current user.
Set-SecretVaultDefault -Name KeePassDB
Unlock SecretVault
First, unlock the secret-vault:
Unlock-SecretVault -Name KeePassDB
Retrieving SecretInfo
Get-SecretInfo -Vault KeePassDB
Get-SecretInfo -Vault KeePassDB -Name *Token*
Retrieve a secret and use it as PSCredential-Object
Get-Secret -Name "Token"
UserName Password
-------- --------
tinu System.Security.SecureString
Retrieve a secret and use it as PlainText
Retrieve the password of a specified Name and use it as PlainText form the Clipboard:
$Name = "Token"
$Secret = Get-Secret -Name $Name
[System.Net.NetworkCredential]::new($Name, $Secret.Password).Password | Set-Clipboard
List all Secrets with the Tag ‘Business’, and retrieve the password of a specified Name and use it as PlainText form the Clipboard:
Write-Host "Get Secret from KeePassDB" -ForegroundColor Green
if(-not(Test-SecretVault -Name KeePassDB)){
Unlock-SecretVault -Name KeePassDB
}
$SecretInfo = Get-SecretInfo -Vault KeePassDB -WarningAction SilentlyContinue
$Properties = (
'Name',
@{
N='Accessed'
E={
foreach($item in $_.Metadata.keys){
if($item -match 'Accessed'){$($_.Metadata[$item])}
}
}
},
@{
N='Tags'
E={
foreach($item in $_.Metadata.keys){
if($item -match 'Tags'){$($_.Metadata[$item])}
}
}
}
)
$SecretInfo | Select $Properties | Where Tags -match 'Business' | Out-String
$Name = Read-Host "Paste the FullName to search"
$Secret = Get-Secret -Vault PrivatKdbx -Name $Name
[System.Net.NetworkCredential]::new($Name, $Secret.Password).Password | Set-Clipboard
Write-Host "Set the password to the Clipboard. " -ForegroundColor Green -NoNewline
Read-Host -Prompt "Press any key to exit"
Get Secret from KeePassDB
Keepass Master Password
Enter the Keepass Master password for: C:\Users\Secret\Documents\KeePassDB.kdbx
Password for user Keepass Master Password: ********
Name Accessed Tags
---- -------- ----
Test for any access 03.09.2022 10:56:46 Business
Enter the FullName to search: Test for any access
Set the password to the Clipboard. Press any key to exit:
[ Top ]
Full Example on AlmaLinux
For this full example with AlmaLinux, you can use my Project PSAutoMic to create the Docker-Container.
Create Docker Container
Create a Docker-Image and Docker-Container with installed PowerShell and start the container:
docker start alma_container
docker exec -it alma_container pwsh
sh-5.1# pwsh
PowerShell 7.3.4
Get-OsInfo
DistName : AlmaLinux
DistVersion : 9.2 (Turquoise Kodkod)
SupportURL : https://almalinux.org/
OS : GNU/Linux
KernelRelease : 5.15.90.1-microsoft-standard-WSL2
OSInstallDate : 2023-06-02
Install and configure KeePass
Install config-manager, EPEL-repository, and keepassxc:
dnf install 'dnf-command(config-manager)'
dnf config-manager --set-enabled crb
dnf install epel-release
dnf install keepassxc
Create a KeePassDB-file:
Usage: keepassxc-cli db-create [options] database
Create a new database.
Options:
-q, --quiet Silence password prompt and other secondary outputs.
--set-key-file <path> Set the key file for the database.
-p, --set-password Set a password for the database.
-t, --decryption-time <time> Target decryption time in MS for the database.
-h, --help Display this help.
Arguments:
database Path of the database.
I use a master-password for the database and it should be located at the home directory. You can use any volume for the location of the database to share it.
keepassxc-cli db-create --set-password /home/KeePassDB.kdbx
Couldn't load translations.
Enter password to encrypt database (optional): <your master-password>
Repeat password: <your master-password>
Successfully created new database.
Install and configure SecretManagement for KeePass
Install the SecretManagement.Keepass and all dependencies:
Install-Module SecretManagement.Keepass -Verbose
...
VERBOSE: InstallPackage' - name='Microsoft.PowerShell.SecretManagement', version='1.1.2',destination='/tmp/311771630'
VERBOSE: InstallPackage' - name='PSFramework', version='1.7.270',destination='/tmp/311771630'
VERBOSE: InstallPackage' - name='SecretManagement.KeePass', version='0.9.2',destination='/tmp/311771630'
...
VERBOSE: Module 'SecretManagement.KeePass' was installed successfully to path '/root/.local/share/powershell/Modules/SecretManagement.KeePass/0.9.2'.
Register the SecretVault, and set it to the default vault, and activate the master-password option:
cd home
Register-SecretVault -Name "KeePassDB" -ModuleName "SecretManagement.Keepass" -VaultParameters @{
Path = "/home/KeePassDB.kdbx"
UseMasterPassword = $true
DefaultVault = $true
}
Get-SecretVault
Name ModuleName IsDefaultVault
---- ---------- --------------
KeePassDB SecretManagement.KeePass True
Adding and retrieving secrets from KeePass
Unlock the KeePassDB:
Unlock-SecretVault -Name KeePassDB
cmdlet Unlock-SecretVault at command pipeline position 1
Supply values for the following parameters:
Password: <your master-password>
Adding a secret:
$cred = Get-Credential
PowerShell credential request
Enter your credentials.
User: Tinu
Password for user Tinu: ***********
Set-Secret -Name $cred.UserName -SecureStringSecret $cred.Password
Retrieving secrets:
Get-SecretInfo -Vault KeePassDB
Name Type VaultName
---- ---- ---------
Tinu PSCredential KeePassDB
$SecretName = "Tinu"
$creds = New-Object System.Management.Automation.PSCredential $SecretName , (Get-Secret -Name $SecretName)
$creds | Format-List
UserName : Tinu
Password : System.Security.SecureString
See also
Microsoft.PowerShell.SecretManagement on docs.microsoft.com, KeePassXC: User Guide