Best way to Secure credantials inside PowerShell Scripts

1 – Why securing passwords in powershell scripts is crucial ?

Securing passwords in PowerShell scripts is essential for several reasons:

• Protection against attacks : Unsecured scripts can be exploited by attackers to gain access to sensitive information. If a password is hard-coded in a script, it can be read by anyone with access to the script.
• Data leakage prevention : If a password is exposed in a script, it may be accidentally shared or stored in an unsecured location, leading to a data leak.
• Bad programming practice : Storing passwords in plain text in scripts is considered bad programming practice. It indicates a lack of awareness of basic security principles and can damage the credibility of the script developer.

2 – How to Secure credantials inside PowerShell Scripts ?

In the world of automation and systems management, PowerShell scripts have become an indispensable tool. However, a major challenge arises when it comes to managing sensitive credentials, such as passwords, within these scripts.

Indeed, storing passwords directly in scripts poses a significant security risk. If a script containing plaintext passwords falls into the wrong hands, the consequences can be disastrous. What’s more, even if passwords are stored in XML files, they can be easily decrypted and compromised.

Another approach is to use interactive passwords, where the user is prompted to enter the password each time the script is run. However, this method is impractical for automation scenarios where scripts need to be run without human intervention.

Faced with these challenges, one solution that has emerged is the use of PowerShell Vault. PowerShell Vault is a tool for centralizing and securing all passwords. It offers a robust solution for managing passwords in PowerShell scripts. With PowerShell Vault, passwords are securely stored and can be retrieved by scripts as needed. This eliminates the need to store passwords in the scripts themselves, thus improving security.

3 – What is PowerShell Vault :

The PowerShell Vault module, also known as “Microsoft.PowerShell.SecretManagement“ , is a tool that offers a convenient way for a user to store and retrieve secrets. Secrets are stored in SecretManagement extension vaults.

An extension vault is a PowerShell module that has been registered with SecretManagement, and exports five module functions required by SecretManagement. An extension vault can store secrets locally or remotely. Extension safes are registered in the context of the currently logged-in user, and are available only to that user.

Here are some important commands from the PowerShell Vault module:

• Get-Secret : Finds and returns a secret by name from registered safes.
• Get-SecretInfo : Finds and returns metadata information about secrets in registered vaults.
• Get-SecretVault : Finds and returns information on registered safes.
• Register-SecretVault : Registers a SecretManagement extension safe module for the current user.
• Remove-Secret : Removes a secret from a specified registered extension vault.
• Set-Secret : Adds a secret to a registered SecretManagement vault.
• Set-SecretInfo : Adds or replaces additional secret metadata to a secret currently stored in a vault.
• Set-SecretVaultDefault : Sets the name of the provided safe as the default safe for the current user.
• Test-SecretVault : Executes an extension vault self-test.
• Unregister-SecretVault : Unregisters an extension safe from SecretManagement for the current user.

4 – Mindmap to Secure credantials inside PowerShell Scripts:

here is how to Secure credantials inside PowerShell Scripts :

5 – Prepare PowerShell Vault :

In this section we will see how to install essantial modules, how to create vault, how to create secret and how to get secrets.

To Prepare PowerShell Vault, please follow this steps :

• Open PowerShell ISE as administrator
• Install Microsoft.PowerShell.SecretManagement Module and Microsoft.PowerShell.SecretStore module

# To install the Secret Management module from the PowerShell Gallery, use the following command:
Install-Module -Name Microsoft.PowerShell.SecretManagement -Force 

# To install the Secret Store module from the PowerShell Gallery, use the following command:
Install-Module -Name Microsoft.PowerShell.SecretStore -Force 

• Check if two modules are successfully installed :

# check if Secret Management module is seccessfully installed
Get-InstalledModule -Name Microsoft.PowerShell.SecretManagement

# check if Secret Management module is seccessfully installed
Get-InstalledModule -Name Microsoft.PowerShell.SecretStore

here is execution result :

• Register New Vault Named “My-Vault“, this Vault will be used by default to store secrets :

# Register New Vault Named My-Vault
Register-SecretVault -Name My-Vault -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault

Check new registred Vault, and check is default vault :

# To see registred Vault
Get-SecretVault

here is execution result :

• Before begining use of Vault, we should set new password :

# Before begining use of Vault, we should set new password
Set-SecretStorePassword -NewPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) 

• To Unlock Vault and Begin use it

# To Unlock Vault and Begin use it 
Unlock-SecretStore -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) 

• To create a secret for Office 365 Account (as an example), run Set-Secret with a name and value :

# To create a secret, run Set-Secret with a name and value : 
Set-Secret -Name "PasswordOffice365" -Secret "Pass123456"  -Vault My-Vault

• To retrieve the value, call the Get-Secret command with the name of the item secret:

# To retrieve secure string
Get-Secret -Name "PasswordOffice365" -Vault My-Vault
# To retrieve PlainText
Get-Secret -Name "PasswordOffice365" -Vault My-Vault -AsPlainText

• You can add metadata to describe the secret, such as the purpose of the saved value.

# You can add metadata to describe the secret, such as the purpose of the saved value. 
Set-Secret -Name "OAuthToken" -Secret "eyJ0eXAiOiJKV1QiLCJhbGci324OiJSUzI1NiJ9" -Metadata @{Purpose="Office 365 OAuth Token"}

• To remove a stored secret, use one of the two following PowerShell commands :

# To remove a stored secret, use one of the two following PowerShell commands:
Remove-Secret -Name "PasswordOffice365" -Vault My-Vault

• In this exemple, I will create full credantials (login + password) to be stored in PowerShell Vault, then I will use them in the following section (Start using PowerShell Vault)

# Create Microsoft 365 Credential Secret
$username = "admin@domain.onmicrosoft.com"

$password = ConvertTo-SecureString "Pass@word1" -AsPlainText -Force

$creds = New-Object System.Management.Automation.PSCredential($username,$password)

# Create the secret by storing the PSCredential object
Set-Secret -Name "M365Creds" -Secret $creds -Metadata @{Information="M365 Credentials for Tenant"}

6 – Start using PowerShell Vault :

To be able to use PowerShell Vault, just add this two line in your script, this code will ask for Vault credantial and allow you to connect securely in interractive mode to your Vault :

• Enter your Vault Credantials

# Read Password
$Passwd = (Read-Host -Prompt "Enter password" -AsSecureString)

# To Unlock Vault and Begin use it 
Unlock-SecretStore -Password $Passwd

here I will get created credantials previously “M365Creds” to connect to Microsoft Online :

# Retrieve the Stored Credentials
$m365creds = Get-Secret -Name "M365Creds"

# Connect to Microsoft Online with the retrieved credentials
Connect-MsolService -Credential $m365creds

• Enjoy passwords security 😎

Conclusion :

By securing passwords in your PowerShell scripts, you can protect your system against malicious intrusions, data leaks and other security threats. Adopt security best practices and use the alternative methods mentioned above to ensure the security of your passwords and your IT infrastructure.

Thanks