🔐 A simple credential manager to store and reuse multiple PSCredential objects.
Go to file
OCram85 6fce8d6a8c
continuous-integration/drone/push Build is passing Details
Updates libressl files (#71)
#### 📖 Summary

- adds missing `vendor` files into build package.
- adds missing `openssl.conf` in build package.
- updates libressl / openssl to v3.5.3

#### 📑 Test Plan

> 💡 Select your test plan for the code changes.

- [x] Tested via Drone.io pipeline
- [ ] Custom test
- [ ] No test plan

##### Details / Justification

<!-- Add your test details or justification for missing tests here. -->

#### 📚 Additional Notes

-  See `v1.1.0-dev9` build
  - https://gitea.ocram85.com/OCram85/PSCredentialStore/releases/tag/v1.1.0-dev9
Co-authored-by: OCram85 <marco.blessing@googlemail.com>
Reviewed-on: #71
2022-09-20 11:58:29 +02:00
.gitea update references (#60) 2022-07-13 08:34:31 +02:00
.vscode fix pester verbosity config (#58) 2022-06-28 09:52:29 +02:00
assets Adds Social Logo (#46) 2019-05-10 10:12:26 +02:00
bin Publish Pre-release (#1) 2017-09-21 13:32:15 +02:00
build adds DroneHelper (#61) 2022-07-15 08:28:21 +02:00
docs adds CiscoUCSCentral connection type (#67) 2022-07-19 14:29:25 +02:00
resources remove optional depenency helper (#68) 2022-07-26 11:33:10 +02:00
src Updates libressl files (#71) 2022-09-20 11:58:29 +02:00
tools Migrates to Pester5+ tests (#59) 2022-07-14 13:37:12 +02:00
.drone.yml Updates libressl files (#71) 2022-09-20 11:58:29 +02:00
.editorconfig Update pwsh style to latest community standards (#52) 2022-06-28 08:56:33 +02:00
.gitattributes Updates libressl files (#71) 2022-09-20 11:58:29 +02:00
.gitignore Migrates to Pester5+ tests (#59) 2022-07-14 13:37:12 +02:00
CHANGELOG.md addChangelog (#70) 2022-07-28 15:15:52 +02:00
LICENSE switch to GNU AGPLv3 license (#64) 2022-07-15 11:34:00 +02:00
README.md updates Readme (#69) 2022-07-28 10:41:46 +02:00

README.md

PSCredentialStore

PSCredentialStore

🔐 A simple cross-platform credential manager for PSCredential objects.

Master Branch Build Status PowershellGallery Published Version

🔑 General

The PSCredentialStore is a simple credential manager for PSCredential objects. It stores PSCredentials in a simple json file. You can choose between a private and shared credential store. The private one exists in your profile and can ony accessed by your account on the same machine. The shared store enables you to use different credentials for your scripts without exposing them as plain text.

PSCredentialStore was developed to simplify the delegation of complex powershell scripts. In this case you often need to store credentials for non interactive usage like in scheduled tasks.

Starting with version 1.0.0 PSCredential uses Pfx certificates fo encryption. You can use Pfx certificate files or certificates stored in the certificate store.

For more details read the about_PSCredentialStore page on Gitea or via CLI with Get-Help about_PSCredentialStore.

You can find the full reference in the /docs/ path as well.

🖖 Requirements

  • PowerShell >= 5.1
  • .NET Framework >= 4.6 or .NET Core >= 1.0

💣 About Security

This section explains some security topics and the design decisions we made to balance the usage and security needs.

To be able to delegate PSCredentials objects we can't exclusively rely on the SecureString cmdlets. You can't decrypt and reuse such credentials from a different user account or even machine. This is caused by automatically generated encryption key, which is used create a Secure String based encrypted string.

In order to delegate a password, while still using the underlying security framework, we have to provide a custom encryption key. This leads to the fact, that everyone who has access to the key could encrypt or decrypt your data.

So we decided to use the public and private keys from valid certificates as part of the custom encryption keys to encrypt your data.

This means clearly: Everyone who has access to the CredentialStore needs also access to the certificate file to work with it.

Keep in mind you need to secure the access with your NTFS file permissions to avoid unwanted usage. Another option is to import the certificate into your certification vaults of you operating system. In this case you can grand the permission to the certificates itself.

Here is a brief hierarchy description for the certificate lookup order: (First match wins)

CredentialStore Type Certificate Location
Private CurrentUser\My
Shared (Windows) CurrentUser\My
LocalMachine\Root
Shared (Linux) LocalMachine\My
LocalMachine\Root

🛠️ Installation

  • Make sure you use PowerShell 5.1 or higher with $PSVersionTable.
  • Use the builtin PackageManagement + PowerShellGet module and install PSCredentialStore with: Import-Module PowerShellGet; Install-Module 'PSCredentialStore' -Repository 'PSGallery'
    • Additionally use the -AllowPrerelease switch until we publish the final release!
  • Done. Start exploring the Module with Import-Module PSCredentialStore; Get-Command -Module PSCredentialStore

🏗️ Manual Way

  • Take a look at the Latest Release page.
  • Download the PSCredentialStore.zip.
  • Unpack the zip file and put it in your Powershell module path.
    • Don't forget to change the NTFS permission flag in the context menu.
  • Start with Import-Module PSCredentialStore

Quick Start

1. First we need a blank credential store. You can decide between a private or shared one.

💡 Note: The private credential store can only be accessed with your profile on the machine you created it.

Starting with version 1.0.0 you can decide the storage type of your fresh created certificate. As default PSCredentialStore creates a new pfx certificate file beside the credential store itself. Optionally you can provide the parameter -UseCertStore. This imports the new certificate in the user or machine certificate store as well.

# Private credential store
New-CredentialStore

# Private credential store with certificate store usage
New-CredentialStore -UseCertStore

# Shared credential store
New-CredentialStore -Shared

# Shared credential store in custom location
New-CredentialStore -Shared -Path 'C:\CredentialStore.json'

2. Now you can manage your credential store items:

# This will prompt for credentials and stores it in a private store
New-CredentialStoreItem -RemoteHost 'dc01.myside.local' -Identifier 'AD'

# You can now use it in other scripts like this:
$DCCreds = Get-CredentialStoreItem -RemoteHost 'dc01.myside.local' -Identifier 'AD'
Invoke-Command -ComputerName 'dc01.myside.local' -Credential $DCCreds -ScripBlock {Get-Process}

The credential store contains also a simple function to establish a connection with several systems or protocols. If you have already installed the underlying framework / modules, you can connect to these endpoint types:

  • CiscoUcs - Establish a connection to a Cisco UCS fabric interconnect.
  • FTP - Establish a connection to a FTP host.
  • NetAppFAS - Establish a connection to a NetApp Clustered ONTAP filer.
  • VMware - Establish a connection to a VMware vCenter or ESXi host.
  • CisServer - Establish a connection to the CisServer Service on vCenter Host.
  • ExchangeHTTP - Establish a remote connection with an Exchange endpoint via http.
    • Requires PowerShell remoting
  • ExchangeHTTPS - Establish a remote connection with an Exchange endpoint via https.
    • Requires PowerShell remoting
  • SCP - Establish a SCP connection.

Here are some basic examples:

Connect-To -RemoteHost "ucs.myside.local" -Type CiscoUcs
Connect-To -RemoteHost "ftp.myside.local" -Type FTP
Connect-To -RemoteHost "fas.myside.local" -Type NetAppFAS
Connect-To -RemoteHost "esx01.myside.local" -Type VMware
Connect-To -RemoteHost "vcr.myside.local" -Type CisServer
Connect-To -RemoteHost "exchange1.myside.local" -Type ExchangeHTTP
Connect-To -RemoteHost "exchange1.myside.local" -Type ExchangeHTTPS
Connect-To -RemoteHost "ubuntu.myside.local" -Type SCP

📌 Credits

A huge thanks to all the people who helped with their projects and indirect contributions which made this possible!