Microsoft has released a new version of the SecretsManagement module for PowerShell. Version 6 of the SecretsManagement module makes it simple to encrypt and store passwords and then recall them easily on demand. I’ll show how it works and how you can incorporate this tool into your daily scripting workflow.

Overview ^

The PowerShell team at Microsoft has been working on the SecretsManagement module for over a year and has already released several versions. Each release has included additional features, functionality, and stronger security.

Secrets management in PowerShell is broken up into two parts: the engine and the storage vault. The SecretsManagement module is the engine and is responsible for the management and encryption of passwords and other secrets. The secrets are then stored in a vault. I will demo the SecretsManagement module and the SecretStore vault, which is a vault offered from Microsoft.

There are other vaults available for LastPass, KeePass, HashiCorp Vault, Keychain, and the Windows Credential Manager. These vaults are built by the open-source community, and more become available all the time. Sydney Smith from the PowerShell team at Microsoft wrote an excellent blog post explaining this in further detail. I encourage you to read her article, as it contains useful tips for working with the vault.

At the time of writing, the current modules from Microsoft are preview versions. They're not officially considered "production ready," but I have used these modules in my production environment for over a month now with no bugs, hiccups, or gotchas. Let's roll up our sleeves and see how these modules work.

Installation ^

I will be installing the Preview6 version of the SecretsManagement module and Preview4 of the SecretStore. Both modules work in Windows PowerShell (version 5.x) and PowerShell Core (versions 6.x and 7.x). Installation of the modules is easy to do, but there are two potential gotchas to watch for.

The first is that since these are preview modules, you need to use the -AllowPrelease parameter during installation. That parameter isn't available with the default version of WindowsPowerShell v5.x. To get around that issue, you need to update your version of the PowerShellGet module to the latest version. PowerShellGet is the module that handles installing modules. The syntax for the PowerShellGet module update is:

$params = @{
    Name              = 'PowerShellGet'
    Repository        = 'PSGallery'
    AllowClobber      = $true
    Force             = $true
}
Install-Module @Params

The second point to be aware of is that these latest versions of the modules contain breaking changes. You need to uninstall any old module versions before installing these recent versions. With that out of the way, let's install the SecretsManagement module, which I mentioned is the engine that does all the processing and encryption:

$params = @{
    Name              = 'Microsoft.PowerShell.SecretManagement'
    AllowPreRelease   = $true
    Repository        = 'PSGallery'
}
Install-Module @Params

Then you will install a vault that will store your secrets. I will be using the SecretStore module:

$params = @{
    Name              = 'Microsoft.PowerShell.SecretStore'
    AllowPreRelease   = $true
    Repository        = 'PSGallery'
}
Install-Module @Params

Creating the Secrets Vault ^

After installation is completed, the next step is to create a vault for storing your secrets. This process is called "registering a vault":

$params = @{
    Name            = 'VaultDemo'
    ModuleName      = 'Microsoft.PowerShell.SecretStore'
    DefaultVault    = $true
    AllowClobber    = $true
}
Register-SecretVault @params
Registering your first vault

Registering your first vault

The vault you