Tinus EngOps Wiki

Logo

OpsaC - Operating as PowerShell code

Links

Home

PowerShell Blog

PowerShell Index

PowerShell Search

Additional Websites

View my GitHub Profile

View my GitHub Gists

View Tinus IT Wiki

View my Photo Website

Microsoft Secret Management

tags: PowerShell categories: PowerShell-Basic

Table of Contents

Secret Management

Use Microsoft.PowerShell.SecretManagement and do not store passwords in files!

This module provides a convenient way for a user to store and retrieve secrets. The secrets are stored in registered extension vaults. An extension vault can store secrets locally or remotely. SecretManagement coordinates access to the secrets through the registered vaults.

SecretManagement extension vaults:

Work with the SecretStore module as a SecretVault

Install the modules for SecretStore

Install-Module Microsoft.PowerShell.SecretManagement, Microsoft.PowerShell.SecretStore -Verbose

Register Module

Register-SecretVault -ModuleName Microsoft.PowerShell.SecretStore -Name MyOwnStore

SecretStore configuration

List the configuration:

Get-SecretStoreConfiguration

Vault Microsoft.PowerShell.SecretStore requires a password.
Enter password:
****

      Scope Authentication PasswordTimeout Interaction
      ----- -------------- --------------- -----------
CurrentUser       Password             900      Prompt

Change the password-timeout to 1 hour:

Set-SecretStoreConfiguration -Scope CurrentUser -Authentication Password -PasswordTimeout 3600 -Interaction Prompt

Get SecretVault

Get-SecretVault

Name          ModuleName                       IsDefaultVault
----          ----------                       --------------
MyOwnStore    Microsoft.PowerShell.SecretStore True

Adding and retrieving secrets

$cred = Get-Credential
Set-Secret -Name $cred.UserName -SecureStringSecret $cred.Password -Metadata @{ URL = 'https://gmx.net' } 

PowerShell credential request
Enter your credentials.
User: tinu@gmx.net
Password for user tinu@gmx.net: ********

Vault MyOwnStore requires a password.
Enter password:
****
Get-Secret -Name tinu@gmx.net -AsPlainText

1234@gmx
Get-Secretinfo -Name tinu*

Name           Type         VaultName
----           ----         ---------
tinu@gmx.net   SecureString MyOwnStore
tinu@hotmail   SecureString MyOwnStore
tinu@microsoft SecureString MyOwnStore
Get-Secretinfo -Name tinu* | % { @{$_.Name=Get-Secret -Name $Name -AsPlainText} }

Name                           Value
----                           -----
tinu@gmx.net                   1234@gmx
tinu@hotmail                   1234@gmx
tinu@microsoft                 1234@gmx
Get-SecretInfo -Name tinu@gmx.net | fl *

Name      : tinu@gmx.net
Type      : SecureString
VaultName : MyOwnStore
Metadata  : {[URL, https://gmx.net]}
Get-SecretInfo -Name tinu@gmx.net | Select-Object -ExpandProperty Metadata

Key         Value
---         -----
ExpireAfter 2022-06-24 20:00:00
Url         https://gmx.net

Retrieve a secret and use it as PSCredential-Object

First, unlock the secret-store:

Unlock-SecretStore

In each scripts, put the following code to get the credentials of the given user (secret):

$SecretName = "tinu@gmx.net"
[PSCredential] $creds = New-Object System.Management.Automation.PSCredential $SecretName , (Get-Secret -Name $SecretName)
$creds

UserName                         Password
--------                         --------
tinu@gmx.net System.Security.SecureString

Remove SecretVault

Un-registers an extension vault from SecretManagement for the current user.

Get-SecretInfo -Vault MyOwnStore
Remove-Secret -Vault MyOwnStore -Name tinu@gmx.net

Vault MyOwnStore requires a password.
Enter password:
****

Unregister SecretVault

Un-registers an extension vault from SecretManagement for the current user.

Get-SecretVault
Unregister-SecretVault MyOwnStore

[ Top ]

Work with the Keepass module as a SecretVault

Install the modules for KeePass

Install-Module Microsoft.PowerShell.SecretManagement, SecretManagement.KeePass -Verbose

Register Module

Register-SecretVault -Name "KeePassDB" -ModuleName "SecretManagement.Keepass" -VaultParameters @{
	Path = "$($env:USERPROFILE)\Documents\KeePassDB.kdbx"
	UseMasterPassword = $true
    DefaultVault = $true
}

Get SecretVault

Get-SecretVault

Name        ModuleName                       IsDefaultVault
----        ----------                       --------------
KeePassDB   SecretManagement.Keepass         False

Set KeePass as DefaultVault

Sets the provided vault name as the default vault for the current user.

Set-SecretVaultDefault -Name KeePassDB

Unlock SecretVault

First, unlock the secret-vault:

Unlock-SecretVault -Name KeePassDB

Retrieving SecretInfo

Get-SecretInfo -Vault KeePassDB
Get-SecretInfo -Vault KeePassDB -Name *Token*

Retrieve a secret and use it as PSCredential-Object

Get-Secret -Name "Token"

UserName                     Password
--------                     --------
tinu     System.Security.SecureString

Retrieve a secret and use it as PlainText

Retrieve the password of a specified Name and use it as PlainText form the Clipboard:

$Name   = "Token"
$Secret = Get-Secret -Name $Name
[System.Net.NetworkCredential]::new($Name, $Secret.Password).Password | Set-Clipboard

List all Secrets with the Tag ‘Business’, and retrieve the password of a specified Name and use it as PlainText form the Clipboard:

Write-Host "Get Secret from KeePassDB" -ForegroundColor Green 
if(-not(Test-SecretVault -Name KeePassDB)){
    Unlock-SecretVault -Name KeePassDB
}

$SecretInfo = Get-SecretInfo -Vault KeePassDB -WarningAction SilentlyContinue
$Properties = (
    'Name',
    @{
            N='Accessed'
            E={
                foreach($item in $_.Metadata.keys){
                    if($item -match 'Accessed'){$($_.Metadata[$item])}
                }
            }
        },
    @{
            N='Tags'
            E={
                foreach($item in $_.Metadata.keys){
                    if($item -match 'Tags'){$($_.Metadata[$item])}
                }
            }
        }
)
$SecretInfo | Select $Properties | Where Tags -match 'Business' | Out-String

$Name   = Read-Host "Paste the FullName to search"
$Secret = Get-Secret -Vault PrivatKdbx -Name $Name
[System.Net.NetworkCredential]::new($Name, $Secret.Password).Password | Set-Clipboard
Write-Host "Set the password to the Clipboard. " -ForegroundColor Green -NoNewline
Read-Host -Prompt "Press any key to exit"
Get Secret from KeePassDB

Keepass Master Password
Enter the Keepass Master password for: C:\Users\Secret\Documents\KeePassDB.kdbx
Password for user Keepass Master Password: ********


Name                Accessed            Tags
----                --------            ----
Test for any access 03.09.2022 10:56:46 Business


Enter the FullName to search: Test for any access
Set the password to the Clipboard. Press any key to exit:

[ Top ]

Full Example on AlmaLinux

For this full example with AlmaLinux, you can use my Project PSAutoMic to create the Docker-Container.

Create Docker Container

Create a Docker-Image and Docker-Container with installed PowerShell and start the container:

docker start alma_container
docker exec -it alma_container pwsh
sh-5.1# pwsh
PowerShell 7.3.4
Get-OsInfo

DistName      : AlmaLinux
DistVersion   : 9.2 (Turquoise Kodkod)
SupportURL    : https://almalinux.org/
OS            : GNU/Linux
KernelRelease : 5.15.90.1-microsoft-standard-WSL2
OSInstallDate : 2023-06-02

Install and configure KeePass

Install config-manager, EPEL-repository, and keepassxc:

dnf install 'dnf-command(config-manager)'
dnf config-manager --set-enabled crb
dnf install epel-release
dnf install keepassxc

Create a KeePassDB-file:

Usage: keepassxc-cli db-create [options] database
Create a new database.

Options:
  -q, --quiet                   Silence password prompt and other secondary outputs.
  --set-key-file <path>         Set the key file for the database.
  -p, --set-password            Set a password for the database.
  -t, --decryption-time <time>  Target decryption time in MS for the database.
  -h, --help                    Display this help.

Arguments:
  database                      Path of the database.

I use a master-password for the database and it should be located at the home directory. You can use any volume for the location of the database to share it.

keepassxc-cli db-create --set-password /home/KeePassDB.kdbx

Couldn't load translations.
Enter password to encrypt database (optional): <your master-password>
Repeat password: <your master-password>
Successfully created new database.

Install and configure SecretManagement for KeePass

Install the SecretManagement.Keepass and all dependencies:

Install-Module SecretManagement.Keepass -Verbose
...
VERBOSE: InstallPackage' - name='Microsoft.PowerShell.SecretManagement', version='1.1.2',destination='/tmp/311771630'  
VERBOSE: InstallPackage' - name='PSFramework', version='1.7.270',destination='/tmp/311771630'                           
VERBOSE: InstallPackage' - name='SecretManagement.KeePass', version='0.9.2',destination='/tmp/311771630'                
...
VERBOSE: Module 'SecretManagement.KeePass' was installed successfully to path '/root/.local/share/powershell/Modules/SecretManagement.KeePass/0.9.2'.

Register the SecretVault, and set it to the default vault, and activate the master-password option:

cd home
Register-SecretVault -Name "KeePassDB" -ModuleName "SecretManagement.Keepass" -VaultParameters @{
    Path = "/home/KeePassDB.kdbx"
    UseMasterPassword = $true
    DefaultVault = $true
}
Get-SecretVault

Name      ModuleName               IsDefaultVault
----      ----------               --------------
KeePassDB SecretManagement.KeePass True

Adding and retrieving secrets from KeePass

Unlock the KeePassDB:

Unlock-SecretVault -Name KeePassDB

cmdlet Unlock-SecretVault at command pipeline position 1
Supply values for the following parameters:
Password: <your master-password>

Adding a secret:

$cred = Get-Credential

PowerShell credential request
Enter your credentials.
User: Tinu
Password for user Tinu: ***********

Set-Secret -Name $cred.UserName -SecureStringSecret $cred.Password

Retrieving secrets:

Get-SecretInfo -Vault KeePassDB

Name Type         VaultName
---- ----         ---------
Tinu PSCredential KeePassDB
$SecretName = "Tinu"
$creds = New-Object System.Management.Automation.PSCredential $SecretName , (Get-Secret -Name $SecretName)

$creds | Format-List

UserName : Tinu
Password : System.Security.SecureString

See also

Microsoft.PowerShell.SecretManagement on docs.microsoft.com, KeePassXC: User Guide

[ Top ] [ Blog ]