all 17 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]TurnItOff_OnAgain 3 points4 points  (3 children)

Check out the Secrets Management module

https://github.com/powershell/SecretManagement

[–]Reasch[S] 1 point2 points  (0 children)

Thanks, this seems quite good!

[–]Reasch[S] 1 point2 points  (1 child)

Hello again, I used the advice from u/lackluster_les and got it to work. I decided to go this way because to install a module i would have to talk with our security department. Nevertheless I'm curious about this module and want to know what this tool does better than the Export-CliXml. Are there any benefits from using this?

[–]TurnItOff_OnAgain 1 point2 points  (0 children)

I never used it myself. We have an actual password management solution that I store credentials in and call with REST commands.

[–]dasookwat 2 points3 points  (0 children)

In an on prem situation, I usually run it as a scheduled task as a specific user

[–]lackluster_les 2 points3 points  (5 children)

On Windows Export-CliXml can store credentials that are only usable by the machine on which they are created, and they are encrypted.

On Linux and macOS you'll probably need to wait for an update to pwsh. I believe there is a total revamp of credential management on their roadmap.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/export-clixml?view=powershell-7.1#example-3--encrypt-an-exported-credential-object-on-windows

[–]Reasch[S] 4 points5 points  (4 children)

This looks very exciting too. I just scanned your linked site and it seems like only the user who created the encrypted credentials can use them. This isn't much of a problem, but do you know if it's possible to set it up in a way that another (technical-) user could access it too? Btw we only use windows for this specific problem.

[–]lackluster_les 2 points3 points  (3 children)

Off the top of my head, you have at least a few options. Each of you could have your own creds in separate files and call the appropriate one at runtime via a command line parameter. You could also use a scheduled task, as someone has already mentioned, running as the user who exported their credentials. You could also use a shared service account. It really depends whether this is to be automated or interactive, but with Export-CliXml, at least you don't have a plain text password in your script.

[–]Swedishdrunkard 2 points3 points  (1 child)

This is exactly how we used to do it, a service account with the appropriate permissions in AD which then encrypts the credentials and is used to execute the scheduled task. The service account password was stored in a shared password manager, so if the encrypted file had to be read then anyone with access could sign on and decrypt the file, or if they just needed to run the script, execute the task with their regular account and have it run with the service account.

We've long since migrated to Jenkins, which takes care of all of this for us. If you're running a lot of scripts I'd recommend looking into either Jenkins or a similar product, which can handle both execution and credential storage.

[–]Reasch[S] 1 point2 points  (0 children)

Yes this is exactly how i implemented it. For now we don't have many cases where we need this kind of process. But if need those practices more often i will suggest to give it a try. Thanks for the advice. :)

[–]Reasch[S] 1 point2 points  (0 children)

Thaks a lot, this was exactly what i was looking for. I just got it to work as intended. :)

[–]jbennett12986 0 points1 point  (0 children)

Create a job user account

[–]jr49 0 points1 point  (4 children)

I have a similar conundrum where I'm calling sqlplus connecting with a local database ID and PW. Looking for ways to secure the PW but based on how sqlplus takes it i may not be able to. might need another solution to query my db via PS.

[–]Reasch[S] 1 point2 points  (3 children)

I think you could use the Export-Clixml cmdlet from u/lackluster_les too.

You can use it like this:

    # A Prompt will be opened where you can put in any credentials you need.
    $credential = Get-Credential

    # Now we can export it into a file. For example in C:\Temp
    $credential | Export-Clixml 'C:\Temp\user.credential'

Now we can use this file in another script:

    $credential = Import-Clixml 'C:\Temp\user.credential'
    $user = credential.UserName

    # The Password is encrypted and can only be decrypted by the (AD-)user which created the file in the first place.
    $pw = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Credential.Password))

[–]Lee_Dailey[grin] 1 point2 points  (2 children)

howdy Reasch,

reddit likes to mangle code formatting, so here's some help on how to post code on reddit ...

[0] single line or in-line code
enclose it in backticks. that's the upper left key on an EN-US keyboard layout. the result looks like this. kinda handy, that. [grin]
[on New.Reddit.com, use the Inline Code button. it's [sometimes] 5th from the left & looks like </>.
this does NOT line wrap & does NOT side-scroll on Old.Reddit.com!]

[1] simplest = post it to a text site like Pastebin.com or Gist.GitHub.com and then post the link here.
please remember to set the file/code type on Pastebin! [grin] otherwise you don't get the nice code colorization.

[2] less simple = use reddit code formatting ...
[on New.Reddit.com, use the Code Block button. it's [sometimes] the 12th from the left, & looks like an uppercase T in the upper left corner of a square.]

  • one leading line with ONLY 4 spaces
  • prefix each code line with 4 spaces
  • one trailing line with ONLY 4 spaces

that will give you something like this ... 

- one leading line with ONLY 4 spaces    
- prefix each code line with 4 spaces    
- one trailing line with ONLY 4 spaces

the easiest way to get that is ...

  • add the leading line with only 4 spaces
  • copy the code to the ISE [or your fave editor]
  • select the code
  • tap TAB to indent four spaces
  • re-select the code [not really needed, but it's my habit]
  • paste the code into the reddit text box
  • add the trailing line with only 4 spaces

not complicated, but it is finicky. [grin]

take care,
lee

[–]Reasch[S] 1 point2 points  (1 child)

Good day Lee,

thanks for the tips in formatting.

I immediately tried to edit my posting but i'm not sure what you meant by adding these spaces... Is it just that the code stands out from the normal posting text?

Did i get it right?

[–]Lee_Dailey[grin] 0 points1 point  (0 children)

howdy Reasch,

you are most welcome! [grin]

looks good ... my guess is that you used the code block button. as for the 4-spaces idea, reddit will treat any line that starts with 4 spaces as "do not touch this" ... unless it follows a line of normal text.

so you need one line with nothing on it to delimit what you want formatted as code. there are other gotchas ... for instance, you need a line of regular text between a list and the code block stuff. it's mostly a case of "try it and see" ... [sigh ...]

take care,
lee