• Stars
    star
    321
  • Rank 130,793 (Top 3 %)
  • Language
    C#
  • License
    MIT License
  • Created over 4 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

PowerShell module to consistent usage of secrets through different extension vaults

PowerShell SecretManagement module

PowerShell SecretManagement module provides a convenient way for a user to store and retrieve secrets. The secrets are stored in SecretManagement extension vaults. An extension vault is a PowerShell module that has been registered to SecretManagement, and exports five module functions required by SecretManagement. An extension vault can store secrets locally or remotely. Extension vaults are registered to the current logged in user context, and will be available only to that user (unless also registered to other users).

In addition to implementing the five required SecretManagement functions, extension vaults are responsible for any authentication, including prompting the user for passphrases, and providing error and informational messages specific to the vault implementation. Error and informational messages common to all extension vaults are provided by SecretManagement.

PowerShell SecretManagement module is essentially an orchestrator for extension vaults which perform the actual secret storage and encryption. The extension vault may implement its own store, or wrap an existing secure store solution, such as Azure KeyVault, KeePass, Keyring, etc.

PowerShell SecretManagement supports the following secret data types:

  • byte[]
  • string
  • SecureString
  • PSCredential
  • Hashtable

All extension vault implementations must also support these data types.

PowerShell SecretManagement module provides cmdlets for for accessing and manipulating secrets, and also cmdlets for registering and manipulating vault extensions.

Installation

You can install the Microsoft.PowerShell.SecretManagement module from the PowerShell Gallery.

Install-Module -Name Microsoft.PowerShell.SecretManagement -Repository PSGallery

Secret metadata

Extension vaults can optionally support storing and retrieving additional secret metadata, that is data associated with the secret.
Secret metadata is not security sensitive and does not need to be stored securely in the extension vault.

Secret metadata can be included by using the -Metadata parameter: Set-Secret -Metadata @{ Name=Value }. The -Metadata parameter takes a Hashtable type argument consisting of name/value pairs.
Extension vaults should at minimum support the following value types:

  • string

  • int

  • DateTime

The secret metadata is included in the SecretInformation type object returned by Get-SecretInfo, in a Metadata property.
The Metadata property is a ReadonlyDictionary<string, object> type.

Vault extension registration cmdlets

Register-SecretVault

Registers a single extension vault to the current user

Get-SecretVault

Retrieves information about one or more registered extension vaults

Unregister-SecretVault

Unregisters a single extension vault

Set-SecretVaultDefault

Sets one registered extension vault as the default vault

Test-SecretVault

Runs the Test-SecretVault function provided by the extension vault

Unlock-SecretVault

Unlocks the extension vault through a passed in SecureString password

Accessing secrets cmdlets

Set-Secret

Adds a secret to a specific extension vault, or to the default vault if no vault is specified

Set-SecretInfo

Adds or replaces additional secret metadata to an existing secret in the vault. Metadata is not stored securely.

Get-Secret

Retrieves a secret from a specific extension vault, or first found over all vaults

Get-SecretInfo

Retrieves information about one or more secrets, but not the secret itself

Remove-Secret

Removes a secret from a specific vault

Vault extension registration

Vault extensions are registered to the current user context. They are registered as PowerShell modules that expose required functions used by SecretManagement to manipulate secrets. The required functions are provided as PowerShell cmdlets, and can be implemented as script or binary cmdlets.

Since each extension vault module exports the same five cmdlets, the module must conform to a directory structure that hides cmdlets from the user and PowerShell command discovery. Therefore the extension vault module itself does not export the five required cmdlets directly, but are instead exported from a nested module that resides within the extension vault module directory. This nested module must have a name that is the parent module name with '.Extension' appended to it.

It is recommended that the parent module manifest file (.psd1) include the 'SecretManagement' tag in its PrivateData section. This allows PowerShellGallery to associate it with the SecretManagement module.

Example: Script module vault extension

This is a minimal vault extension example to demonstrate the directory structure and functional requirements of an extension vault module. The extension vault module name is 'TestVault'.

Module directory structure

./TestVault
./TestVault/TestVault.psd1
./TestVault/TestStoreImplementation.dll
./TestVault/TestVault.Extension
./TestVault/TestVault.Extension/TestVault.Extension.psd1
./TestVault/TestVault.Extension/TestVault.Extension.psm1

TestVault.psd1 file

@{
    ModuleVersion = '1.0'
    RootModule = '.\TestStoreImplementation.dll'
    NestedModules = @('.\TestVault.Extension')
    CmdletsToExport = @('Set-TestStoreConfiguration','Get-TestStoreConfiguration')
    PrivateData = @{
        PSData = @{
            Tags = @('SecretManagement')
        }
    }
}

The TestVault extension module has a binary component (TestStoreImplementation.dll) which implements the vault. It publicly exports two cmdlets that are used to configure the store. It also declares the required nested module (TestVault.Extension) that exports the five functions required by SecretManagement registration.

Note that the nested module conforms to the required naming format:
'[ModuleName].Extension'

Note that only the 'NestedModules' entry is required because it loads 'TestVault.Extension' into the module scope, and allows SecretManagement access to the required five functions. The 'RootModule' and 'CmdletsToExport' entries are only for configuring the TestStore in this specific case, and are not needed in general.

TestVault.Extension.psd1 file

@{
    ModuleVersion = '1.0'
    RootModule = '.\TestVault.Extension.psm1'
    RequiredAssemblies = '..\TestStoreImplementation.dll'
    FunctionsToExport = @('Set-Secret','Get-Secret','Remove-Secret','Get-SecretInfo','Test-SecretVault')
}

This nested module implements and exports the five functions required by SecretManagement. It also specifies the TestStoreImplementation.dll binary as a 'RequiredAssemblies' because the five exported functions depend on it.

TestVault.Extension.psm1 file

function Get-Secret
{
    [CmdletBinding()]
    param (
        [string] $Name,
        [string] $VaultName,
        [hashtable] $AdditionalParameters
    )

    return [TestStore]::GetItem($Name, $AdditionalParameters)
}

function Get-SecretInfo
{
    [CmdletBinding()]
    param (
        [string] $Filter,
        [string] $VaultName,
        [hashtable] $AdditionalParameters
    )

    return @(,[Microsoft.PowerShell.SecretManagement.SecretInformation]::new(
        "Name",        # Name of secret
        "String",      # Secret data type [Microsoft.PowerShell.SecretManagement.SecretType]
        $VaultName,    # Name of vault
        $Metadata))    # Optional Metadata parameter
}

function Set-Secret
{
    [CmdletBinding()]
    param (
        [string] $Name,
        [object] $Secret,
        [string] $VaultName,
        [hashtable] $AdditionalParameters
    )

    [TestStore]::SetItem($Name, $Secret)
}

# Optional function
function Set-SecretInfo
{
    [CmdletBinding()]
    param (
        [string] $Name,
        [hashtable] $Metadata,
        [string] $VaultName,
        [hashtable] $AdditionalParameters
    )

    [TestStore]::SetItemMetadata($Name, $Metadata)
}

function Remove-Secret
{
    [CmdletBinding()]
    param (
        [string] $Name,
        [string] $VaultName,
        [hashtable] $AdditionalParameters
    )

    [TestStore]::RemoveItem($Name)
}

function Test-SecretVault
{
    [CmdletBinding()]
    param (
        [string] $VaultName,
        [hashtable] $AdditionalParameters
    )

    return [TestStore]::TestVault()
}

# Optional function
function Unregister-SecretVault
{
    [CmdletBinding()]
    param (
        [string] $VaultName,
        [hashtable] $AdditionalParameters
    )

    [TestStore]::RunUnregisterCleanup()
}

# Optional function
function Unlock-SecretVault
{
    [CmdletBinding()]
    param (
        [SecureString] $Password,
        [string] $VaultName,
        [hashtable] $AdditionalParameters
    )

    [TestStore]::UnlockVault($Password)
}

This module script implements the five functions, as cmdlets, required by SecretManagement, plus some optional functions. It also implements an optional Unregister-SecretVault function that is called during vault extension un-registration. It also implements an optional Set-SecretInfo function that sets secret metadata to a specific secret in the vault. It also implements an optional Unlock-SecretVault function that unlocks the vault for the current session based on a provided password.

The Set-Secret, Set-SecretInfo, Remove-Secret, Unregister-SecretVault functions do not write any data to the pipeline, i.e., they do not return any data.

The Get-Secret cmdlet writes the retrieved secret value to the output pipeline on return, or null if no secret was found. It should write an error only if an abnormal condition occurs.

The Get-SecretInfo cmdlet writes an array of Microsoft.PowerShell.SecretManagement.SecretInformation type objects to the output pipeline or an empty array if no matches were found.

The Test-SecretVault cmdlet should write all errors that occur during the test. But only a single true/false boolean should be written the the output pipeline indicating success.

The Unregister-SecretVault cmdlet is optional and will be called on the extension vault if available. It is called before the extension vault is unregistered to allow it to perform any needed clean up work.

The Unlock-SecretVault cmdlet is optional and will be called on the extension vault if available. It's purpose is to unlock an extension vault for use without having to prompt the user, and is useful for unattended scripts where user interaction is not possible.

In general, these cmdlets should write to the error stream only for abnormal conditions that prevent successful completion. And write to the output stream only the data as indicated above, and expected by SecretManagement.

In addition, these cmdlets should perform proper authentication and provide errors, and instructions to authenticate, as appropriate. Or prompt the user if needed, for example if a passphrase is required.

A vault extension doesn't need to provide full implementation of all required functions. For example, a vault extension does not need to provide a way to add or remove a secret through the SecretManagement cmdlets, and can just provide retrieval services. If a vault extension doesn't support some functionality, then it should write an appropriate error with a meaningful message.

Be careful with module implementation with scripts, because any data returned by function or method calls are automatically written to the output pipeline (if not assigned to a variable). SecretManagement expects only specific data to appear in the output pipeline, and if other data is inadvertently written, that will cause SecretManagement to not function properly.

Registering the vault

Once the TestVault module is created, it is registered as follows:

Register-SecretVault -Name LocalStore -ModuleName ./TestVault -VaultParameters @{ None="ReallyNeeded" } -DefaultVault

Get-SecretVault

VaultName  ModuleName  IsDefaultVault
---------  ----------  --------------
LocalStore TestVault   True

Extension vault registry file location

SecretManagement is designed to be installed and run within a user account on both Windows and non-Windows platforms. The extension vault registry file is located in a user account protected directory.

For Windows platforms the location is:
%LOCALAPPDATA%\Microsoft\PowerShell\secretmanagement

For non-Windows platforms the location:
$HOME/.secretmanagement

Windows Managed Accounts

SecretManagement does not currently work for Windows managed accounts.

SecretManagement depends on both %LOCALAPPDATA% folders to store registry information, and Data Protection APIs for safely handling secrets with the .Net SecureString type.
However, Windows managed accounts do not have profiles or %LOCALAPPDATA% folders, and Windows Data Protection APIs do not work for managed accounts.
Consequently, SecretManagement will not run under managed accounts.

More Repositories

1

PowerShell

PowerShell for every system!
C#
44,633
star
2

Win32-OpenSSH

Win32 port of OpenSSH
7,290
star
3

PSReadLine

A bash inspired readline implementation for PowerShell
C#
3,700
star
4

PSScriptAnalyzer

Download ScriptAnalyzer from PowerShellGallery
C#
1,842
star
5

vscode-powershell

Provides PowerShell language and debugging support for Visual Studio Code
TypeScript
1,687
star
6

DscResources

Central repository for PowerShell Desired State Configuration (DSC) resources.
772
star
7

ConsoleGuiTools

Modules that mix PowerShell and GUIs/CUIs!
C#
772
star
8

platyPS

Write PowerShell External Help in Markdown
C#
765
star
9

PowerShellEditorServices

A common platform for PowerShell development support in any editor or application!
C#
623
star
10

Polaris

A cross-platform, minimalist web framework for PowerShell
PowerShell
507
star
11

PSResourceGet

PSResourceGet is the package manager for PowerShell
C#
483
star
12

PowerShellGetv2

PowerShellGet is the Package Manager for PowerShell
PowerShell
430
star
13

PowerShell-RFC

RFC (Request for Comments) documents for community feedback on design changes and improvements to PowerShell ecosystem
PowerShell
430
star
14

PowerShell-Docker

Repository for building PowerShell Docker images
Dockerfile
400
star
15

Crescendo

a module for wrapping native applications in a PowerShell function and module
PowerShell
397
star
16

JEA

Just Enough Administration
PowerShell
254
star
17

PowerShellGallery

PowerShell
228
star
18

Operation-Validation-Framework

PowerShell
223
star
19

DSC

This repo is for the DSC v3 project
Rust
192
star
20

SHiPS

Simple Hierarchy in PowerShell - developing PowerShell provider got so much easier
C#
188
star
21

PSSwagger

The cmdlet generator from OpenAPI (f.k.a Swagger) specification
PowerShell
164
star
22

PowerShellStandard

C#
157
star
23

SecretStore

C#
155
star
24

PSPrivateGallery

DSC Resources and Configurations to deploy and manage Private PowerShell Gallery
PowerShell
148
star
25

CompletionPredictor

C#
145
star
26

GPRegistryPolicyParser

PowerShell
140
star
27

WindowsCompatibility

Module that allows Windows PowerShell Modules to be used from PSCore6
PowerShell
137
star
28

PowerShell-Tests

Pester based tests for testing PowerShell
PowerShell
130
star
29

PowerShell-IoT

Interact with I2C, SPI & GPIO devices using PowerShell Core!
C#
130
star
30

PSDscResources

PowerShell
129
star
31

EditorSyntax

PowerShell syntax highlighting for editors (VS Code, Atom, SublimeText, TextMate, etc.) and GitHub!
PowerShell
127
star
32

Modules

C#
111
star
33

Phosphor

A library and PowerShell module for generating user interfaces from PowerShell modules
TypeScript
109
star
34

GPRegistryPolicy

PowerShell
102
star
35

Community-Blog

Submissions for posts to the PowerShell Community Blog -https://devblogs.microsoft.com/powershell-community
102
star
36

psl-omi-provider

PSRP Linux support library
C
100
star
37

Microsoft.PowerShell.Archive

Archive PowerShell module contains cmdlets for working with ZIP archives
C#
93
star
38

PSArm

PSArm is a PowerShell module that provides a PowerShell-embedded domain-specific language (DSL) for Azure Resource Manager (ARM) templates
C#
77
star
39

Remotely

Enable remote execution of scripts. Works with Pester.
PowerShell
74
star
40

TextUtility

Microsoft.PowerShell.TextUtility module
C#
64
star
41

PSDesiredStateConfiguration

Source for https://www.powershellgallery.com/packages/PSDesiredStateConfiguration module
PowerShell
59
star
42

ProjectMercury

An interactive shell to work with AI-powered assistance providers
C#
56
star
43

Demo_CI

PowerShell
55
star
44

PowerShellGet

This module provide functions used with PowerShellGet v3 to provide compatibility with scripts expecting PowerShellGet v2
PowerShell
55
star
45

DscResource.Tests

Common meta tests for PowerShell DSC resources repositories.
PowerShell
51
star
46

PowerShell-Native

C++
48
star
47

Whitepapers

Staging area for new documents and whitepapers
46
star
48

AzurePSDrive

Navigate Azure Resources Just like A FileSystem
PowerShell
41
star
49

ContainerProvider

ContainerImageProvider
PowerShell
38
star
50

PrivateCloud.DiagnosticInfo

PowerShell
38
star
51

PackageManagementProviderResource

Modules with DSC resources for the PackageManagement(aka OneGet) providers.
PowerShell
37
star
52

Pager

Project for console pager, which is published as a NuGet package Microsoft.PowerShell.Pager
C#
34
star
53

MarkdownRender

C#
32
star
54

DSC-Samples

Samples and tutorials for DSC v3
Go
29
star
55

PlasterBuild

Provides common build tasks for PowerShell module projects
PowerShell
29
star
56

PowerShell-Snap

PowerShell
28
star
57

SelfSignedCertificate

A module for generating self-signed certificates in PowerShell Core
PowerShell
27
star
58

CimPSDrive

SHiPS based provider to navigate CIM classes and namespaces
PowerShell
27
star
59

DscConfigurations

PowerShell
27
star
60

tree-sitter-PowerShell

JavaScript
25
star
61

GitHub-Actions

PowerShell
25
star
62

MMI

C#
24
star
63

Microsoft.PowerShell.Kubectl

PowerShell module to manage Kubernetes
PowerShell
23
star
64

LibreSSL

C
22
star
65

ODataUtils

PowerShell Module to generate cmdlets from an OData endpoint
PowerShell
22
star
66

ThreadJob

PowerShell
22
star
67

WmiNamespaceSecurityDsc

This module contains DSC resources to manage WMI Namespace Security.
PowerShell
21
star
68

FileUtility

C#
21
star
69

UnixCompleters

C#
20
star
70

Homebrew-Tap

Ruby
19
star
71

underhanded-powershell

Underhanded PowerShell Contest Repository
PowerShell
18
star
72

Hardware-Management-Module

PowerShell
17
star
73

generator-powershell

Create PowerShell modules and scripts using Yeoman!
JavaScript
16
star
74

Announcements

PowerShell Team Announcements
15
star
75

JsonAdapter

C#
14
star
76

PowerShellModuleCoverage

Track issues related to using Windows PowerShell modules with PowerShell
13
star
77

whatsnew

PowerShell
13
star
78

PSRelease

PowerShell
11
star
79

AwsDscToolkit

AWS DSC Toolkit
PowerShell
10
star
80

DscResource.Template

PowerShell
10
star
81

command-not-found

C#
10
star
82

TemplateConfig

Provides template for organizing DSC configuration scripts and supporting modules
PowerShell
10
star
83

SystemLocaleDsc

DSC Resource for configuring Windows System Locale
PowerShell
9
star
84

SmartPackageProvider

A PackageManagement provider to find and install packages using search engines
C#
9
star
85

xDisk

PowerShell
8
star
86

psl-pester

Fork of Pester for compatibility with PowerShell on Linux.
PowerShell
8
star
87

PowerShell-Blog-Samples

Samples for the PowerShell blog
PowerShell
8
star
88

ZLib

C
7
star
89

AWSBootStrapper

PowerShell
6
star
90

WSAProvider

A PackageManagement provider to find and install packages for Appx based packaging format
PowerShell
6
star
91

PowerShellGetDsc

DSCResources for the PowerShellGet module
PowerShell
5
star
92

DscConfiguration.Tests

Test automation scripts for evaluating the quality of DSC Configurations using Azure virtual machines and Azure Automation DSC.
PowerShell
5
star
93

SILDeploymentHelper

PowerShell
4
star
94

vscode-powershellise-keybindings

A Visual Studio Code extension that configures PowerShell ISE keybindings.
TypeScript
4
star
95

PSPackageProject

PowerShell
4
star
96

Compliance

3
star
97

.github

3
star
98

ISEAddOnExamples

3
star
99

pscore-docs-dotnet

PowerShell
2
star
100

JsonAdapterFeedbackPredictor

1
star