- Export and import to and from Excel with the PowerShell module ImportExcel - Thu, Apr 21 2022
- Getting started with the PSReadLine module for PowerShell - Thu, Feb 24 2022
- SecretsManagement module for PowerShell: Save passwords in PowerShell - Tue, Dec 22 2020
Overview ^
The PowerShell team at Microsoft has been working on the SecretsManagement module for over a year and has already released several versions. Each release has included additional features, functionality, and stronger security.
Secrets management in PowerShell is broken up into two parts: the engine and the storage vault. The SecretsManagement module is the engine and is responsible for the management and encryption of passwords and other secrets. The secrets are then stored in a vault. I will demo the SecretsManagement module and the SecretStore vault, which is a vault offered from Microsoft.
There are other vaults available for LastPass, KeePass, HashiCorp Vault, Keychain, and the Windows Credential Manager. These vaults are built by the open-source community, and more become available all the time. Sydney Smith from the PowerShell team at Microsoft wrote an excellent blog post explaining this in further detail. I encourage you to read her article, as it contains useful tips for working with the vault.
At the time of writing, the current modules from Microsoft are preview versions. They're not officially considered "production ready," but I have used these modules in my production environment for over a month now with no bugs, hiccups, or gotchas. Let's roll up our sleeves and see how these modules work.
Installation ^
I will be installing the Preview6 version of the SecretsManagement module and Preview4 of the SecretStore. Both modules work in Windows PowerShell (version 5.x) and PowerShell Core (versions 6.x and 7.x). Installation of the modules is easy to do, but there are two potential gotchas to watch for.
The first is that since these are preview modules, you need to use the -AllowPrelease parameter during installation. That parameter isn't available with the default version of WindowsPowerShell v5.x. To get around that issue, you need to update your version of the PowerShellGet module to the latest version. PowerShellGet is the module that handles installing modules. The syntax for the PowerShellGet module update is:
$params = @{ Name = 'PowerShellGet' Repository = 'PSGallery' AllowClobber = $true Force = $true } Install-Module @Params
The second point to be aware of is that these latest versions of the modules contain breaking changes. You need to uninstall any old module versions before installing these recent versions. With that out of the way, let's install the SecretsManagement module, which I mentioned is the engine that does all the processing and encryption:
$params = @{ Name = 'Microsoft.PowerShell.SecretManagement' AllowPreRelease = $true Repository = 'PSGallery' } Install-Module @Params
Then you will install a vault that will store your secrets. I will be using the SecretStore module:
$params = @{ Name = 'Microsoft.PowerShell.SecretStore' AllowPreRelease = $true Repository = 'PSGallery' } Install-Module @Params
Creating the Secrets Vault ^
After installation is completed, the next step is to create a vault for storing your secrets. This process is called "registering a vault":
$params = @{ Name = 'VaultDemo' ModuleName = 'Microsoft.PowerShell.SecretStore' DefaultVault = $true AllowClobber = $true } Register-SecretVault @params
The vault you