SecretManagement and SecretStore Release Candidates

Sydney Smith

Sydney

The SecretManagement and SecretStore release candidate (RC) modules are now available on the PowerShell Gallery.

The SecretManagement module helps users manage secrets by providing a common set of cmdlets to interface with secrets across vaults. This module supports an extensible model where local and remote vaults can be registered and unregistered for use in accessing and retrieving secrets. SecretStore is a cross-platform local extension vault for use with SecretManagement. We designed this vault as a best attempt at creating a vault that is available where PowerShell is, usable in popular PowerShell scenarios (like automation and remoting) and utilizes common security practices.

For more information on these modules check out these previous blog posts:

Before installing these modules, please uninstall the current preview versions of the modules and restart your PowerShell session.

To install these updates run the following commands:

Uninstall-Module Microsoft.PowerShell.SecretManagement -Force 
Uninstall-Module Microsoft.PowerShell.SecretStore -Force 
# Restart your PowerShell session 
Install-Module -Name Microsoft.PowerShell.SecretManagement -Repository PSGallery 
Install-Module -Name Microsoft.PowerShell.SecretStore -Repository PSGallery 
Register-SecretVault -Name SecretStore -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault -AllowClobber

SecretManagement Updates

  • Register-SecretVault no longer emits error when strict language mode is set
  • Set-DefaultVault cmdlet has been renamed to Set-SecretVaultDefault

General Availability (GA)

This is a “go live” release, which means that we feel that this RC is feature complete and of GA quality. If no bugs are identified through this release, we will increment the versioning and declare the modules as GA in early February. If any high-risk bugs are identified we will continue to release RCs until the quality bar is met for a GA release.

The Extension Vault Ecosystem

To find other SecretManagement extension vault modules, search the PowerShell Gallery for the “SecretManagement” tag. Some community vault extensions that are available:

Thank you to everyone who has created vaults thus far!

Feedback and Support

Community feedback has been essential to the iterative development of these modules. Thank you to everyone who has contributed issues, and feedback thus far! To file issues or get support for the SecretManagement interface or vault development experience please use the SecretManagement repository. For issues which pertain specifically to the SecretStore and its cmdlet interface please use the SecretStore repository.

Sydney Smith

PowerShell Team

 

5 comments

Comments are closed. Login to edit/delete your existing comments

  • Avatar
    Joseph Cestra

    Are you allowed to create\register multiple vaults of type ‘SecretStore’ each storing a different set of secrets and each having a different configuration i.e one with password requirement and one without? It seems Set-SecretStoreConfiguration operates on all SecretStore vaults created and no way to configure them individually.

  • Urs Rau
    Urs Rau

    Is the secretstore file ‘portable’? So I can set it up once on one machine and then simply ‘copy’ the secretstore file to another machine, maybe it needs re-registering at that point?

    The local nature pf the secretstore is great but NOT if I have to setup the secrets on tens ( or hundreds ) of machines …

    And once it does this, the next natural question is can I have multiple local secret stores registered? ( which will presumably mean we’ll have to have a way to specify the local store file name to be used? )

    • Avatar
      Mike Kanakos

      The SecretStore is not portable because it was designed to be on the local machine.

      However I think you are thinking about this problem the wrong way. The SecretStore vault is one vault available for storing secrets. It’s provided by Microsoft because you literally need to be able store secrets somewhere. However, maybe the SecretStore module is not the right fit for you. There are currently 8 other vaults available that you can use. Many of those vaults are cloud / web based, which would solve your problem of carrying secrets to multiple machines.

      You can find them by browsing the PowerShell gallery or from your cmd prompt witht he following syntax:

      find-module -tag secretmanagement | select name, description | Format-List
      
      
      Name        : Microsoft.PowerShell.SecretStore
      Description : This PowerShell module is an extension vault for the PowerShell SecretManagement module.
                    As an extension vault, this module stores secrets to the local machine based on the current user
                    account context. The secrets are encrypted on file using .NET Crypto APIs. A password is required
                    in the default configuration. The configuration can be changed with the provided cmdlets.
      
                    Go to GitHub for more information about this module and to submit issues:
                    https://github.com/powershell/SecretStore
      
      Description : A cross-platform Keepass Secret Management vault extension. See the README.MD in the module for more details.
      
      Name        : SecretManagement.LastPass
      Description : SecretManagement extension for LastPass!
      
      Name        : SecretManagement.BitWarden
      Description : SecretManagement extension for BitWarden!
      
      Name        : SecretManagement.1Password
      Description : SecretManagement extension for 1Password
      
      Name        : SecretManagement.KeyChain
      Description : SecretManagement extension vault for macOS KeyChain
      
      Name        : SecretManagement.Chromium
      Description : A cross-platform Chromium (Edge/Chrome) Secret Management vault extension. See the README.MD in the module for
                    more details.
      
      Name        : SecretManagement.Keybase
      Description : Keybase Secret Management Extension
      
      Name        : SecretManagement.PleasantPasswordServer
      Description : A cross-platform Pleasent Password Server Secret Management vault extension. See the README.MD in the module for
                    more details.
  • Avatar
    Mike Kanakos

    Hello PowerShell community !

    I have blogged extensively about the SecretsManagement module. You can find my resources in multiple places:

    blog writeup
    Online demo

    Also my usergroup has covered this topic as well on more than one occasion.

    Also, I have articles being published soon on the various extensions:
    http://www.networkadm.in