PowerShell - Secret Management
Hello koalas
This post is about the PowerShell module "Microsoft.PowerShell.SecretManagement" by Microsoft.
This module provides a convenient way to store and use secrets (also called credentials, or passwords and usernames).
The secrets are stored in a vault. The vault can be a local one or remote one.
Table of Contents
Available Vaults
Examples of available vaults:
Find-Module -Tag "SecretManagement" | Select-Object -Property Name, DescriptionResult:
It means you can link your "Secret Management" module to your preferred vault. Cool, isn't it? 😀
Install Secrets Modules
Install Microsoft.PowerShell.SecretManagement
You can install the module by using this command:
Install-Module -Name Microsoft.PowerShell.SecretManagement -Repository PSGalleryInstall Microsoft.PowerShell.SecretStore
You can install the module by using this command:
Install-Module -Name Microsoft.PowerShell.SecretStore -Repository PSGalleryRemark: "-Repository PSGallery" is optional and can be replaced by another repository.
Verify your modules are installed
You can verify if the modules are correctly installed by using this command:
Get-InstalledModule -Name *Secret* | Format-Table -AutoSize -WrapResult:
Analyze the commands available
Lists all commands available for the module: Microsoft.PowerShell.SecretManagement
Get-Command -Module Microsoft.PowerShell.SecretManagementResult:
| Command | Description |
| Get-Secret | Finds and returns a secret by name from registered vaults. |
| Get-SecretInfo | Finds and returns secret metadata information of one or more secrets. |
| Get-SecretVault | Finds and returns registered vault information. |
| Register-SecretVault | Registers a SecretManagement extension vault module for the current user. |
| Remove-Secret | Removes a secret from a specified registered extension vault. |
| Set-Secret | Adds/Updates a secret to a SecretManagement registered vault. |
| Set-SecretInfo | Adds or replaces additional secret metadata to a secret currently stored in a vault. |
| Set-SecretVaultDefault | Sets the provided vault name as the default vault for the current user. |
| Test-SecretVault | Runs an extension vault self test. |
| Unregister-Secretvault | Un-registers an extension vault from SecretManagement for the current user. |
Lists all commands available for the module: Microsoft.PowerShell.SecretStore
Get-Command -Module Microsoft.PowerShell.SecretStoreResult:
| Command | Description |
| Get-SecretStoreConfiguration | Returns SecretStore configuration information. |
| Reset-SecretStore | Resets the SecretStore by deleting all secret data and configuring the store with default options. |
| Set-SecretStoreConfiguration | Sets SecretStore configuration properties. |
| Set-SecretStorePassword | Replaces the current SecretStore password with a new one. |
| Unlock-SecretStore | Unlocks SecretStore with the provided password. |
Set up the Vault
Firstly you have to register to a vault. In this example we will use the "SecretStore" vault module from Microsoft.
Info: PersonalVault is the name of the vault. It could be anything you want.
Register-SecretVault -Name PersonalVault -ModuleName Microsoft.PowerShell.SecretStoreCheck the vault is set up corretly with this command:
Get-SecretVaultResult:
Check your store configuration with this command:
Get-SecretStoreConfigurationResult:
The result means that the vault is for the current user that uses a password to log in by entering the password in a prompt. The vault is open for 15 minutes (900 seconds).
You can change one of this property by using the command:
Set-SecretStoreConfigurationExample:
Set-SecretStoreConfiguration -PasswordTimeout 30You can see that the timeout has been set to 5 minutes (300 seconds) instead of the default 15 minutes.
Use the Vault
Save Secret
Save a secret to your vault with this command:
Set-Secret -Name "FirstEntry" -Secret "This is my secret"and another one for pleasure:
Set-Secret -Name "SecondEntry" -Secret "This is another secret"List your secret entries
List you secret entries with this command:
Get-SecretInfoResult:
Check the content of an entry
Check the content of an entry with this command:
Get-Secret YourEntry -AsPlainTextResult:
Another way is like this:
$mySecret = Get-Secret YourEntryConvertFrom-SecureString $mySecret -AsPlainText
Use a secret
Here is an example how to use a secret from your vault.
Firstly use this command to see what entries you have in your vault:
Get-SecretInfoResult:
I have to use the secret called "ana-client1_admin" to access to my remote machine "ana-client1" with the administrator account.
Info: I enable the winrm configuration between 2 computers in a workgroup so the next command has more parameters that if you are in an Active Directory.
Enter-PSSession -ComputerName ana-client1 -Authentication Default -Credential (Get-Secret -Name ana-client1_admin) -UseSSLResult:
As you can see on the last line, I am now connected to my remote computer "ana-client1" by using my secret 😀:
Enter-PSSession -ComputerName ana-client1 -Authentication Default -Credential (Get-Secret -Name ana-client1_admin) -UseSSL
Secret Store Default Path
The secret store default path is:
C:\Users\Didier\AppData\Local\Microsoft\PowerShell\secretmanagement\localstoreIt's important to know that the store is encrypted on your computer.
I hope you enjoyed this post and I wish you a nice time!
Didier
Sources used
| Name | Link |
| Getting started with Secrets Management for PowerShell (Mike Kanakos) | Link |
| PowerShell Gallery | Link |
| Module "Microsoft.PowerShell.SecretManagement" at PowerShell Gallery | Link |
| Module "Microsoft.PowerShell.SecretStore" at PowerShell Gallery | Link |
| Official documentation of the module "Secret Management" from Microsoft | Link |
| Official documentation of the module "Secret Store" from Microsoft | Link |
Â
Â
Â
