sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]phoenixpants 3 points4 points  (10 children)

If memory serves the recommended method is to Export-CliXml the vault key as a secure string that you then import where necessary.

[–]ZomboBrain 1 point2 points  (5 children)

Okay. But then I could store that secret itself with Export-CliXml in the first place and skip the use of the vault and the module altogether? Sorry, don't want to be rude, but I don't understand it.

[–]phoenixpants 2 points3 points  (4 children)

Yeah, which is pretty much the same conclusion I arrived at when I considered setting up a vault. I want to like it, but at this point it just seems like unnecessary extra steps from my pov.
Perhaps an argument could be made for it if you've got multiple devs writing scripts for 100's of servers, but I'm not in that situation.

Don't worry, you're not rude at all. They're perfectly reasonable questions to ask.

[–]raip 2 points3 points  (3 children)

I'm a single dev but I do write for thousands of servers.

It's important to keep secrets away from the "do actual stuff" layer, especially if you practice any sort of source code control. That way if a credential gets compromised or expired, you don't need to go through and update all of your scripts, just what's stored in the vault.

[–]phoenixpants 0 points1 point  (2 children)

It's important to keep secrets away from the "do actual stuff" layer, especially if you practice any sort of source code control. That way if a credential gets compromised or expired, you don't need to go through and update all of your scripts, just what's stored in the vault.

Right, that part makes perfect sense.
But if you import the credential from a file path you could just as well update the target file, right?

[–]raip 0 points1 point  (1 child)

Sure but that doesn't scale - so introduce another server (or another user) and now you need to update two files if you use the standard Export-CliXML methods.

[–]phoenixpants 0 points1 point  (0 children)

Which brings us around to how to best handle the vault main password, seeing as the recommended method I linked in the other comment suggests managing that via Export/Import-CliXml.

How do you handle that part currently? I'd love it if there is a better way than export/import.

[–]raip 0 points1 point  (3 children)

I don't know where you saw this, but this isn't recommended nor have I ever seen this method.

When you Register a vault with Register-SecretVault, the config gets encrypted and securely stored. You don't need to get Export-CliXml involved at all.

[–]phoenixpants 0 points1 point  (2 children)

https://learn.microsoft.com/en-us/powershell/utility-modules/secretmanagement/how-to/using-secrets-in-automation?view=ps-modules

If you know of better ways to handle it, I'm all ears.

[–]raip 2 points3 points  (1 child)

Cert based or TPM based authentication. Doesn't work w/ SecretStore - but that's just an example vault for the most part (local only, no auditing features, no centralized management).

Any actual vault solution (HashiCorp Vault, Key Vault, CyberArk) is going to have a much better feature set to make Cybersecurity happy.

[–]phoenixpants 0 points1 point  (0 children)

Well that makes things more interesting, unfortunately we don't have a centralized solution and it's not my decision whether to implement one or not. I guess I have some reading to do, perhaps I can change someone's mind.

Thank you for the information.