From 8e152292457e657a8ac7ba76ca6fbe76a5d83c33 Mon Sep 17 00:00:00 2001 From: OCram85 Date: Thu, 23 Jan 2020 12:53:00 +0100 Subject: [PATCH] update about page based on readme.md --- docs/about_PSCredentialStore.md | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/docs/about_PSCredentialStore.md b/docs/about_PSCredentialStore.md index 95db59b..e0f33cc 100644 --- a/docs/about_PSCredentialStore.md +++ b/docs/about_PSCredentialStore.md @@ -26,6 +26,36 @@ For more details read the [about_PSCredentialStore](/docs/about_PSCredentialStor - PowerShell >= `5.1` - .NET Framework >= `4.6` or .NET Core >= `1.0` +## About Security + +>This section explains some security topics and the the design decisions we made to balance the usage and security needs. + +To be able to delegate `PSCredentials` objects we can't exclusively rely on the `SecureString` cmdlets. You can't +decrypt and reuse such credentials from a different user account or even machine. This is caused by automatically +generated encryption key which, is used create a `Secure String` based encrypted string. + +In order to delegate a password, while still using the underlying security framework, we have to provide a custom +encryption key. This leads to the fact, that everyone who has access to the key could encrypt or decrypt your data. + +So we decided to use the public and private keys from valid certificates as part of the custom encryption keys to encrypt your data. + +This means clearly: Everyone who has access to the `CredentialStore` needs also access to the certificate file to work with it. + +Keep in mind you need to secure the access with your NTFS file permissions to avoid unwanted usage. Another option is +to import the certificate into your certification vaults of you operating system. In this case you can grand the +permission to the certificates itself. + +Here is s brief hierarchy description of the certificate location: *(First match wins)* + +| CredentialStore Type | Certificate Location | +| -------------------- | ---------------------- | +| Private | `CurrentUser`\\`My` | +| Shared (Windows) | `CurrentUser`\\`My` | +| | `LocalMachine`\\`Root` | +| Shared (Linux) | `LocalMachine`\\`My` | +| | `LocalMachine`\\`Root` | + + ## Installation ## PowerShellGallery.com (Recommended Way) @@ -56,7 +86,7 @@ New-CredentialStore # Private credential store with certificate store usage New-CredentialStore -UseCertStore -# Shared credential rtore +# Shared credential store New-CredentialStore -Shared #Shared credential store in custom Location