Many burglars attempting to break in a powershell safe

When using powershell for scripting, you may need to store credentials within the script. This is insecure especially when dealing with an API key. The preferred way to deal with this is using the powershell SecretStore module. I will go over how to install this module and configure it to allow you to store credentials within a script in an easy and secure way.


Install SecretStore Modules

  • On the server which will be running your script, open an admin PowerShell window as the service account and run the following commands...
Install-Module -Name Microsoft.PowerShell.SecretStore -Repository PSGallery -Force
Install-Module -Name Microsoft.PowerShell.SecretManagement -Repository PSGallery -Force
  • This will install the Powershell SecretStore and SecretManagement modules. You will need both of them.

Configure SecretStore Modules

  • Next you can import the modules...
Import-Module Microsoft.PowerShell.SecretManagement
Import-Module Microsoft.PowerShell.SecretStore
  • Create a SecureString that is exportable to an xml file and encrypted by windows. The username is not important.
PS> $credential = Get-Credential -UserName 'SecureStore'

PowerShell credential request
Enter your credentials.
Password for user SecureStore: **************
  • Save the password to an encrypted XML file
$securePasswordPath = 'C:\scripts\passwd.xml'
$credential.Password |  Export-Clixml -Path $securePasswordPath
  • Now is time to configure the SecretStore vault. This configuration will set user interaction to None so that it does not prompt the user. The password is passed in as a SecureString object. 
Register-SecretVault -Name SecretStore -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault
$password = Import-CliXml -Path $securePasswordPath

$storeConfiguration = @{
    Authentication = 'Password'
    PasswordTimeout = 3600 # 1 hour
    Interaction = 'None'
    Password = $password
    Confirm = $false
}
Set-SecretStoreConfiguration @storeConfiguration

 


Add Secrets and finish up 

  • Use Unlock-SecretStore to unlock your secret store and then use Set-Secret to add the secrets you need to use in your scripts. See my example below...
Unlock-SecretStore -Password $password
Set-Secret -Name ExampleSecret -Secret APIKEY1234
  • Finally open up the script you are planning to automate and add the following lines. 
Import-Module Microsoft.PowerShell.SecretStore
$securePasswordPath = 'c:\scripts\passwd.xml'
$password = Import-CliXml -Path $securePasswordPath
Unlock-SecretStore -Password $password
$exampleapikey = Get-Secret -Name ExampleSecret -asplaintext
  • The $exampleapikey variable will hold your API key without ever being exposed in the script.
  • Only the user that you originally opened the PowerShell window with has access to the secret store password xml file. If you have multiple service accounts, you need to make a secret store for each with a separate password xml file.

Secret Vaults are user specific, so you need to be sure you are running powershell as the user that will be running your script when you configure the SecretStore.


Conclusion

We've installed the SecretStoreSecretManagement PowerShell modules and created a secret store with a specific configuration geared towards automation. Then we created a password for the secret store and encrypted it to an xml file. Lastly, we added the necessary code to the automation script. This allows us access to the necessary credentials without exposing it in our PowerShell script's code. Hopefully this article was helpful!

 

No comments