Safely Managing Sensitive Information in Powershell Scripts

How to handle sensitive information (password, credentials, etc) in Powershell? That was the question which popped up when I was starting to implement another new feature in the automation environment. I’ve also mentioned it in my previous blog about using Terraform via SSH in vRealize Automation. Let’s find out where this question took me too.

Background

Until this question popped up, I used the “ConvertFrom-SecureString” and “ConvertTo-SecureString” functions to create and read from a password file. Since the number of automations are growing (including the number of credentials), I asked myself “What if we need to set up a new (Powershell) server and recreate all those password files?” So I started looking for another way to store sensitive information.

Looking for alternatives

When I started looking for alternatives I found:

  • SecretManagement and SecretStore modules
    Could be use with a KeePass module.
  • PoShKeePass
    Since we use KeePass as Password Manager tool, this would be nice.
 

When only looking at -for me an absolute must- how the product is maintained. It’s remarkable that PoshKeePass didn’t have any update the past 4 years (latest release: Mar 25, 2019). About the same is to say for the SecretManagement KeePass module, which had its last update 2 years ago (latest release: Aug 22, 2021).

So sadly no KeePass integration for me, but I’m still curious what SecretManagement and SecretStore had to offer. The only thing that I was missing at this point was some kind of export / import functionality in this module. But I figured that it wouldn’t be that difficult to create those features. The feature that directly catched my attention was “metadata” I was excited to see how this could help with tokens that expire at some point in time.

Getting started with sensitive information in Secret Management

Microsoft has great documentation about installing both modules and how to set it up for automation. So I’ll skip that part.
 
With the modules installed and the SecretStore created (don’t forget the password) let’s create our first entry:
[elementor-template id=”614″]
 

Great! We’ve got some sensitive information (credentials) saved in the SecretStore.

How can we get the sensitive information?

We’ll need to use the “-AsPlainText” parameter, and since I’ve saved a credential, we’ll get a PSCredential object back.

Get sensitive information

What about the metadata, how can we make use of that?
 [elementor-template id=”617″]

Above code will return into the following:

Secret with metadata

So in case of sensitive information that expire after an amount of time (tokens for example) you could make use this metadata and -for example- recreate a token and use it for as long as it is valid.

I’ll show it in the code below:
[elementor-template id=”620″]

In above function (Test-BackupTokenValid) I’m not only recreating the token if it isn’t valid. I’m also updating the Backup Authorization Header which is used in the webrequests towards our backup tool. I’ve also created a function to Unlock the SecretStore in which the Import-Clixml is used.

When you are going to use a naming convention (<service><environment><name>) you can do some pretty cool stuff too. How about getting the proper username and password for a service using the environment as a variable?
[elementor-template id=”623″]

Final thoughts

The more I’ve started using these modules for saving sensitive information, the more I enjoy using these modules. I even start using it more like a Configuration Element in vRealize Automation. Like for instance the API url of a service isn’t really sensitve information, but it is so easy to use the URI in one single place next to the passwords and usernames. Just use “Get-Secret -Name <NAME> -AsPlainText” anywhere and you’re all set.

Leave a Reply

Your email address will not be published. Required fields are marked *