DEV Community

Cover image for Powershell Secret Store
Antonio Di Motta
Antonio Di Motta

Posted on

Powershell Secret Store

As devops I have to use a lot of secrets for managing my projects which are complex and requires several environments (dev,sit,uat,e2e,prod...), so the number of secrets to manage can grow quickly.

Where to store secrets Its important because are critical information and incorrect management can create huge problems for the security of the applications. When deploy the application we use a secret management service like Azure Key Vault, but what can we do with secrets saved on personal machine? If you are using a simple plain text file then you are making a mistake.

A better idea is also have Key Vault on personal machine, so I decided to use Powershell Secret Store which is an extension vault module for the PowerShell SecretManagement module. It stores secrets locally on file for the current user account context, and uses .NET crypto APIs to encrypt file contents. Secrets remain encrypted in-memory, and are only decrypted when retrieved and passed to the user.

Next an example of use:

# install secret management module
Install-Module -Name Microsoft.PowerShell.SecretManagement
# install extension vault to store secrets to the local machine
Install-Module -Name Microsoft.PowerShell.SecretStore

# register a new local secret store
Register-SecretVault -Name mySecretStore -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault

# add two secrets to mySecretStore 
Set-Secret secret1 -Vault mySecretStore -Secret "this-is-the-value-for-secret1" -metadata @{"envname"="dev";"varname"="var1"} 
Set-Secret secret2 -Vault mySecretStore -Secret "this-is-the-value-for-secret2" -metadata @{"envname"="dev";"varname"="var2"}

# show the list of secrets stored into mySecretStore
PS > get-secretinfo -vault mySecretStore | fl

Name      : secret1
Type      : String
VaultName : mySecretStore
Metadata  : {[varname, var1], [envname, dev]}

Name      : secret2
Type      : String
VaultName : mySecretStore
Metadata  : {[varname, var2], [envname, dev]}

# retrieve secret value
PS > get-secret secret1 -vault mySecretStore -asplaintext
this-is-the-value-for-secret1
Enter fullscreen mode Exit fullscreen mode

As you noted Its possible define a set of metadata for each secret, so I decided to use this capability for improving the process of secret retrieve. For example, I defined an envname for better separation of contexts and varname to automate the process of the powershell variables creation to store the secrets in memory.

I implemented this logic into a function called Set-VariablesFromVault which is able retrieve secrets by envname and store them into variables with name format envname_varname. Below an example of use:

# import my functions for loading secrets
Import-Module .\ADMsecret.psm1

# create powershell variables with secret values based metadata envname and varname
Set-VariablesFromVault -vaultname mySecretStore -envname dev

# check the results
PS > get-variable

Name                     Value
----                     -----
dev_var1                 this-is-the-value-for-secret1
dev_var2                 this-is-the-value-for-secret2
......................................................
Enter fullscreen mode Exit fullscreen mode

The code of Set-VariablesFromVault is available here

Top comments (0)