├── Functions ├── Convert-SecureStringTo32ByteKey.ps1 ├── ConvertFrom-FipsSecureString.ps1 ├── ConvertFrom-PKISecureString.ps1 ├── ConvertTo-FIPSSecureString.ps1 ├── ConvertTo-PKISecureString.ps1 ├── Export-PSCredential.ps1 ├── Import-PSCredential.ps1 ├── New-PSCredential.ps1 ├── New-Password.ps1 └── Set-AzureCmdlets.ps1 ├── LICENSE ├── PSCredentialTools.psd1 ├── SECURITY.md ├── changelog.md ├── contributing.md ├── docs ├── ConvertFrom-FIPSSecureString.md ├── ConvertFrom-PKISecureString.md ├── ConvertTo-FIPSSecureString.md ├── ConvertTo-PKISecureString.md ├── Export-PSCredential.md ├── Import-PSCredential.md └── New-PSCredential.md └── readme.md /Functions/Convert-SecureStringTo32ByteKey.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Convert a secure string to a byte array. 4 | 5 | .DESCRIPTION 6 | Convert the supplied secure string to a 32 byte array. 7 | 8 | .PARAMETER SecureString 9 | A secure string object. 10 | 11 | .EXAMPLE 12 | Convert-SecureStringTo32ByteKey -SecureString ( ConvertTo-SecureString -String 'Pr3$haredK3y' -AsPlainText -Force ) 13 | #> 14 | function Convert-SecureStringTo32ByteKey 15 | { 16 | [CmdletBinding()] 17 | param 18 | ( 19 | [Parameter(Mandatory=$true,ValueFromPipeline=$True,Position=1)] 20 | [ValidateNotNullOrEmpty()] 21 | [System.Security.SecureString] 22 | $SecureString 23 | ) 24 | 25 | $hasher = New-Object -TypeName System.Security.Cryptography.SHA256CryptoServiceProvider 26 | 27 | try 28 | { 29 | $bstr = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureString) 30 | $hasher.ComputeHash( [System.Text.Encoding]::UTF8.GetBytes([Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr))) 31 | } 32 | catch 33 | { 34 | throw $_ 35 | } 36 | finally 37 | { 38 | [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr) 39 | $hasher.Dispose() 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /Functions/ConvertFrom-FipsSecureString.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Converts a SecureString object into encrypted text with a FIPS compliant algorithm using a pre-shared key. 4 | The Pre-Shared key can be provided as either a 32 byte array or a SecureString value. 5 | 6 | .PARAMETER SecureString 7 | The SecureString object that will returned as an encrypted string. 8 | 9 | .PARAMETER Key 10 | An array of 32 bytes that will be used as a the pre-shared key for encryption. 11 | 12 | .PARAMETER SecureKey 13 | A SecureString that will be converted into a 32 byte array used as the pre-shared key for encryption. 14 | 15 | .EXAMPLE 16 | ConvertFrom-FIPSSecureString -SecureString $MySecretValue -SecureKey ( ConvertTo-SecureString -String 'Pr3$haredK3y' -AsPlainText -Force ) | Out-File ./encryptedText.txt 17 | 18 | Encrypts a SecureString object and saves it to disk. 19 | #> 20 | function ConvertFrom-FIPSSecureString 21 | { 22 | [CmdletBinding()] 23 | param 24 | ( 25 | [Parameter(Mandatory=$True,Position=1,ValueFromPipeline=$true,ParameterSetName="KeyByte")] 26 | [Parameter(Mandatory=$True,Position=1,ValueFromPipeline=$true,ParameterSetName="SecureKey")] 27 | [ValidateNotNullOrEmpty()] 28 | [System.Security.SecureString] 29 | $SecureString, 30 | 31 | [Parameter(Mandatory=$True,ParameterSetName='KeyByte')] 32 | [ValidateNotNullOrEmpty()] 33 | [System.Byte[]] 34 | $Key, 35 | 36 | [Parameter(Mandatory=$True,ParameterSetName='SecureKey')] 37 | [ValidateNotNullOrEmpty()] 38 | [System.Security.SecureString] 39 | $SecureKey 40 | ) 41 | 42 | if ($PSBoundParameters.ContainsKey('SecureKey')) 43 | { 44 | $Key = Convert-SecureStringTo32ByteKey -SecureString $SecureKey 45 | } 46 | 47 | if ($null -eq $Key -or $Key.GetLength(0) -ne 32) 48 | { 49 | throw 'Key must be provided as a 32byte (256bit) byte array' 50 | } 51 | 52 | $btsr = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureString) 53 | $dataBytes = [System.Text.Encoding]::UTF8.GetBytes([Runtime.InteropServices.Marshal]::PtrToStringAuto($btsr)) 54 | [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($btsr) 55 | 56 | $aes = New-Object -TypeName System.Security.Cryptography.AesCryptoServiceProvider 57 | $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC 58 | $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 59 | $aes.BlockSize = 128 60 | $aes.KeySize = 256 61 | $aes.Key = $Key 62 | 63 | $encryptionObject = $aes.CreateEncryptor() 64 | 65 | Write-Verbose -Message 'Converting SecureString to encrypted string with AESCryptoServiceProvider' 66 | [System.Byte[]]$encryptedDataBytes = $aes.IV + ($encryptionObject.TransformFinalBlock($dataBytes,0,$dataBytes.Length)) 67 | 68 | $aes.Dispose() 69 | 70 | return [System.Convert]::ToBase64String($encryptedDataBytes) 71 | } 72 | -------------------------------------------------------------------------------- /Functions/ConvertFrom-PKISecureString.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Converts a SecureString object into encrypted text with the public key of a PKI certificate. 4 | 5 | .PARAMETER SecureString 6 | The SecureString object that will returned as an encrypted string. 7 | 8 | .PARAMETER Thumbprint 9 | The ThumbPrint of a certificate on the local computer that will be used to encrypt the string. 10 | 11 | .PARAMETER CertificateFile 12 | Path to a .CER certificate public key file that will be used to encrypt the string. 13 | 14 | .PARAMETER CertificateStore 15 | Specifies the certifcate store of the specified certificate thumbprint. Either LocalMachine or CurrentUser. 16 | 17 | .EXAMPLE 18 | ConvertFrom-PKISecureString -SecureString $MySecretValue -Thumbprint '87BB70A19A7671D389F49AF4C9608B2F381FDD80' | Out-File ./encryptedText.txt 19 | 20 | Encrypts a SecureString object and saves it to disk. 21 | #> 22 | function ConvertFrom-PKISecureString 23 | { 24 | [CmdletBinding()] 25 | param 26 | ( 27 | [Parameter(Mandatory=$True,Position=1,ValueFromPipeline=$True,ParameterSetName='Thumbprint')] 28 | [Parameter(Mandatory=$True,Position=1,ValueFromPipeline=$True,ParameterSetName='CertFile')] 29 | [ValidateNotNullOrEmpty()] 30 | [System.Security.SecureString] 31 | $SecureString, 32 | 33 | [Parameter(Mandatory=$true,ParameterSetName='Thumbprint')] 34 | [ValidateNotNullOrEmpty()] 35 | [System.String] 36 | $Thumbprint, 37 | 38 | [Parameter(Mandatory=$True,ParameterSetName='CertFile')] 39 | [ValidateScript({test-path $_})] 40 | [System.String] 41 | $CertificateFile, 42 | 43 | [Parameter(Mandatory=$False,ParameterSetName='Thumbprint')] 44 | [ValidateSet('CurrentUser','LocalMachine')] 45 | [System.String] 46 | $CertificateStore 47 | ) 48 | 49 | $bstr = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureString) 50 | $dataBytes = [System.Text.Encoding]::UTF8.GetBytes([Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)) 51 | [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr) 52 | 53 | if ($PSCmdlet.ParameterSetName -eq 'CertFile') 54 | { 55 | $Certificate = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2($CertificateFile) 56 | if ($null -eq $Certificate.Thumbprint) 57 | { 58 | throw "$CertificateFile does not appear to be a valid x509 certificate file" 59 | } 60 | } 61 | else 62 | { 63 | if ($PSBoundParameters.ContainsKey('CertificateStore')) 64 | { 65 | $Certificate = Get-Item "Cert:\$CertificateStore\My\$Thumbprint" -ErrorAction SilentlyContinue 66 | #error checking 67 | if ($null -eq $Certificate.Thumbprint) 68 | { 69 | throw "Could not find a valid certificate in the $CertificateStore store with thumbprint $Thumbprint" 70 | } 71 | } 72 | else 73 | { 74 | #first look in CurrentUser 75 | $Certificate = Get-Item "Cert:\CurrentUser\My\$Thumbprint" -ErrorAction Silentlycontinue 76 | if ($null -eq $Certificate.Thumbprint) 77 | { 78 | #nothing in CurrentUser, try LocalMachine 79 | $Certificate = Get-Item "Cert:\LocalMachine\My\$Thumbprint" -ErrorAction Silentlycontinue 80 | } 81 | 82 | #error checking 83 | if ($null -eq $Certificate.Thumbprint) 84 | { 85 | throw "Could not find a valid certificate in the CurrentUser or LocalMachine store with thumbprint $Thumbprint" 86 | } 87 | } 88 | } 89 | 90 | Write-Verbose "Converting SecureString to encrypted string with certificate thumbprint $($Certificate.Thumbprint)" 91 | $EncryptedBytes = $Certificate.PublicKey.Key.Encrypt($dataBytes,$True) 92 | 93 | return [System.Convert]::ToBase64String($EncryptedBytes) 94 | 95 | } 96 | -------------------------------------------------------------------------------- /Functions/ConvertTo-FIPSSecureString.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Converts a string of encrypted text back into a SecureString object with a FIPS compliant algorithm using a pre-shared key. 4 | The Pre-Shared key can be provided as either a 32 byte array or a SecureString value. 5 | 6 | .PARAMETER EncryptedString 7 | The string of encrypted text to convert back into a SecureString object 8 | 9 | .PARAMETER Key 10 | An array of 32 bytes that will be used as a the pre-shared key for decryption. 11 | 12 | .PARAMETER SecureKey 13 | A SecureString that will be converted into a 32 byte array used as the pre-shared key for decryption. 14 | 15 | .EXAMPLE 16 | $EncryptedText = Get-Content ./encryptedText.txt 17 | $MySecret = ConvertTo-FIPSSecureString -EncryptedString $EncryptedText -SecureKey ( ConvertTo-SecureString -String 'Pr3$haredK3y' -AsPlainText -Force ) 18 | #> 19 | function ConvertTo-FIPSSecureString 20 | { 21 | [CmdletBinding()] 22 | param 23 | ( 24 | [Parameter(Mandatory=$True,Position=1,ValueFromPipeline=$true,ParameterSetName='KeyByte')] 25 | [Parameter(Mandatory=$True,Position=1,ValueFromPipeline=$true,ParameterSetName='SecureKey')] 26 | [ValidateNotNullOrEmpty()] 27 | [System.String] 28 | $EncryptedString, 29 | 30 | [Parameter(Mandatory=$True,ParameterSetName='KeyByte')] 31 | [ValidateNotNullOrEmpty()] 32 | [System.Byte[]] 33 | $Key, 34 | 35 | [Parameter(Mandatory=$True,ParameterSetName='SecureKey')] 36 | [ValidateNotNullOrEmpty()] 37 | [System.Security.SecureString] 38 | $SecureKey 39 | ) 40 | 41 | if ($PSBoundParameters.ContainsKey('SecureKey')) 42 | { 43 | $key = Convert-SecureStringTo32ByteKey -SecureString $SecureKey 44 | } 45 | 46 | if ($null -eq $key -or $key.GetLength(0) -ne 32) 47 | { 48 | throw 'Key must be provided as a 32byte (256bit) byte array' 49 | } 50 | 51 | $dataBytes = [System.Convert]::FromBase64String($EncryptedString) 52 | $iv = $dataBytes[0..15] 53 | 54 | $aes = New-Object -TypeName System.Security.Cryptography.AesCryptoServiceProvider 55 | $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC 56 | $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 57 | $aes.BlockSize = 128 58 | $aes.KeySize = 256 59 | $aes.Key = $Key 60 | $aes.IV = $iv 61 | 62 | $decryptionObject = $aes.CreateDecryptor() 63 | 64 | Write-Verbose -Message 'Converting AES encrypted string to SecureString' 65 | [System.Byte[]] $decryptedDataBytes =$decryptionObject.TransformFinalBlock($dataBytes,16,$dataBytes.Length -16) 66 | 67 | $aes.Dispose() 68 | 69 | return ( [System.Text.Encoding]::UTF8.GetString($decryptedDataBytes) | ConvertTo-SecureString -AsPlainText -Force ) 70 | } 71 | -------------------------------------------------------------------------------- /Functions/ConvertTo-PKISecureString.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Converts a string of encrypted text back into a SecureString object with the private key of a PKI certificate. 4 | 5 | .PARAMETER EncryptedString 6 | The string of encrypted text to convert back into a SecureString object 7 | 8 | .PARAMETER Thumbprint 9 | The ThumbPrint of a certificate on the local computer that will be used to decrypt the string. 10 | 11 | .PARAMETER CertificateStore 12 | Specifies the certifcate store of the specified certificate thumbprint. Either LocalMachine or CurrentUser. 13 | 14 | .EXAMPLE 15 | $EncryptedText = Get-Content ./encryptedText.txt 16 | $MySecretValue = ConvertTo-PKISecureString -EncryptedString $EncryptedValue -Thumbprint '87BB70A19A7671D389F49AF4C9608B2F381FDD80' 17 | 18 | Reads an encrypted string from disk and decrypts it back into a SecureString. 19 | #> 20 | function ConvertTo-PKISecureString 21 | { 22 | [CmdletBinding()] 23 | param 24 | ( 25 | [Parameter(Mandatory=$True,Position=1,ValueFromPipeline=$True)] 26 | [ValidateNotNullOrEmpty()] 27 | [System.String] 28 | $EncryptedString, 29 | 30 | [Parameter(Mandatory=$true)] 31 | [ValidateNotNullOrEmpty()] 32 | [System.String] 33 | $Thumbprint, 34 | 35 | [Parameter(Mandatory=$False)] 36 | [ValidateSet('CurrentUser','LocalMachine')] 37 | [System.String] 38 | $CertificateStore 39 | ) 40 | 41 | if ($PSBoundParameters.ContainsKey('CertificateStore')) 42 | { 43 | $Certificate = Get-Item "Cert:\$CertificateStore\My\$Thumbprint" -ErrorAction "SilentlyContinue" 44 | #error checking 45 | if ($null -eq $Certificate.Thumbprint) 46 | { 47 | throw "Could not find a valid certificate in the $CertificateStore store with thumbprint $Thumbprint" 48 | } 49 | } 50 | else 51 | { 52 | #first look in CurrentUser 53 | $Certificate = Get-Item "Cert:\CurrentUser\My\$Thumbprint" -ErrorAction "Silentlycontinue" 54 | if ($null -eq $Certificate.Thumbprint) 55 | { 56 | #nothing in CurrentUser, try LocalMachine 57 | $Certificate = Get-Item "Cert:\LocalMachine\My\$Thumbprint" -ErrorAction "Silentlycontinue" 58 | } 59 | 60 | #error checking 61 | if ($null -eq $Certificate.Thumbprint) 62 | { 63 | throw "Could not find a valid certificate in the CurrentUser or LocalMachine store with thumbprint $Thumbprint" 64 | } 65 | } 66 | 67 | Write-Verbose "Converting encrypted string to SecureString with certificate thumbprint $($Certificate.Thumbprint)" 68 | $EncryptedBytes = [System.Convert]::FromBase64String($EncryptedString) 69 | 70 | return ([System.Text.Encoding]::UTF8.GetString($Certificate.PrivateKey.Decrypt($EncryptedBytes,$True)) | ConvertTo-SecureString -AsPlainText -Force) 71 | } 72 | -------------------------------------------------------------------------------- /Functions/Export-PSCredential.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Encrypts and saves a PowerShell Credential object to file or to Azure KeyVault 4 | 5 | .DESCRIPTION 6 | Export-PSCredential is used to save a PowerShell Credential object [System.Management.Automation.PSCredential] to disk 7 | or to Azure KeyVault so that it can be retrieved later. When saving to disk, the password is encrypted with either a pre-shared key 8 | or a PKI certificate. 9 | 10 | .PARAMETER Credential 11 | The Credential object that will be exported. 12 | 13 | .PARAMETER Path 14 | Path to the JSON file that will be created to save the encrypted credential. 15 | 16 | .PARAMETER SecureKey 17 | A SecureString that is used as a Pre-Shared-Key for encrypting the credential password. 18 | 19 | .PARAMETER Thumbprint 20 | The ThumbPrint of a certificate on the local computer that will be used to encrypt the credential password. 21 | 22 | .PARAMETER CertificateFile 23 | Path to a .CER certificate public key file that will be used to encrypt the credential password. 24 | 25 | .PARAMETER CertificateStore 26 | Specifies the certifcate store of the specified certificate thumbprint. Either LocalMachine or CurrentUser. 27 | 28 | .PARAMETER KeyVault 29 | The name of the Azure KeyVault that will be used to store the exported credential. 30 | 31 | .PARAMETER SecretName 32 | The name of the Azure KeyVault secret to create that will be used to store the exported credential. 33 | 34 | .EXAMPLE 35 | $Credential | Export-PSCredential -Path ./savedcredential.json -SecureKey ( Convertto-SecureString -String '$ecretK3y' -AsPlainText -Force) 36 | 37 | Export a credential to file using a pre-shared key. 38 | 39 | .EXAMPLE 40 | $Credential | Export-PSCredential -Path ./savedcredential.json -Thumbprint '87BB70A19A7671D389F49AF4C9608B2F381FDD80' 41 | 42 | Export a credential to file using a Certificate. 43 | 44 | .EXAMPLE 45 | $Credential | Export-PSCredential -KeyVault 'My-KeyVault' -SecretName 'SavedCred-Secret' 46 | 47 | Export a credential to an existing Azure KeyVault. The user executing the script must be authenticated to Azure with sufficient permissions to the KeyVault. 48 | #> 49 | function Export-PSCredential 50 | { 51 | [CmdletBinding()] 52 | param 53 | ( 54 | [Parameter(Mandatory = $true, ParameterSetName = "LocalKey", Position = 1, ValueFromPipeline = $true)] 55 | [Parameter(Mandatory = $true, ParameterSetName = "KeyVault", Position = 1, ValueFromPipeline = $true)] 56 | [Parameter(Mandatory = $true, ParameterSetName = "CertificateThumbprint", Position = 1, ValueFromPipeline = $true)] 57 | [Parameter(Mandatory = $true, ParameterSetName = "CertFile", Position = 1, ValueFromPipeline = $true)] 58 | [ValidateNotNullorEmpty()] 59 | [System.Management.Automation.PSCredential] 60 | $Credential, 61 | 62 | [Parameter(Mandatory = $true, ParameterSetName = "LocalKey", Position = 2)] 63 | [Parameter(Mandatory = $true, ParameterSetName = "CertificateThumbprint", Position = 2)] 64 | [Parameter(Mandatory = $true, ParameterSetName = "CertFile", Position = 2)] 65 | [ValidateNotNullorEmpty()] 66 | [System.String] 67 | $Path, 68 | 69 | [Parameter(Mandatory = $true, ParameterSetName = "LocalKey")] 70 | [ValidateNotNullorEmpty()] 71 | [System.Security.SecureString] 72 | $SecureKey, 73 | 74 | [Parameter(Mandatory = $true, ParameterSetName = "CertificateThumbprint")] 75 | [ValidateNotNullorEmpty()] 76 | [System.String] 77 | $Thumbprint, 78 | 79 | [Parameter(Mandatory = $true, ParameterSetName = "CertFile", Position = 1, ValueFromPipeline = $true)] 80 | [ValidateScript( {test-path $_})] 81 | [System.String] 82 | $CertificateFile, 83 | 84 | [Parameter(Mandatory = $false, ParameterSetName = "CertificateThumbprint")] 85 | [ValidateSet("LocalMachine", "CurrentUser")] 86 | [System.String] 87 | $CertificateStore, 88 | 89 | 90 | [Parameter(Mandatory = $true, ParameterSetName = "KeyVault")] 91 | [System.String] 92 | $KeyVault, 93 | 94 | [Parameter(Mandatory = $true, ParameterSetName = "KeyVault")] 95 | [System.String] 96 | $SecretName 97 | ) 98 | 99 | if ($PSCmdlet.ParameterSetName -eq 'KeyVault') 100 | { 101 | if ($null -eq $script:AzureKeyVaultModule) 102 | { 103 | throw "Cannot find module Az.KeyVault or AzureRM.KeyVault installed on this system" 104 | } 105 | 106 | try 107 | { 108 | $keyVaultObject = Get-PSCTAzKeyVault -VaultName $keyVault -ErrorAction Stop 109 | } 110 | catch 111 | { 112 | throw "Unable to access KeyVault $KeyVault, ensure that the current session has access to it. Use Add-AzureRmAccount, Login-AzureRmAccount or ConnectAzAccount to establish access for the current session. $($_)" 113 | } 114 | 115 | if ($null -eq $keyVaultObject) 116 | { 117 | throw "Unable to find KeyVault $KeyVault within the current subscription" 118 | } 119 | 120 | Write-Verbose -Message "Saving Credential to KeyVault $KeyVault" 121 | Set-PSCTAzKeyVaultSecret -VaultName $KeyVault -Name $SecretName -SecretValue $Credential.Password -Tag @{username = $Credential.UserName} 122 | } 123 | elseif ($PSBoundParameters.ContainsKey('Path')) 124 | { 125 | $CredentialExport = New-Object -TypeName PSObject -Property @{Username = $Credential.UserName; Password = $null} 126 | 127 | if ($PSCmdlet.ParameterSetName -eq 'LocalKey') 128 | { 129 | $CredentialExport.Password = ConvertFrom-FIPSsecureString -SecureString $Credential.Password -SecureKey $SecureKey -Verbose:$Verbose 130 | } 131 | elseif ($PSCmdlet.ParameterSetName -eq 'CertificateThumbprint') 132 | { 133 | if ($PSBoundParameters.ContainsKey('CertificateStore')) 134 | { 135 | $CredentialExport.Password = ConvertFrom-PKISecureString -SecureString $Credential.Password -Thumbprint $Thumbprint -CertificateStore $CertificateStore -Verbose:$Verbose 136 | } 137 | else 138 | { 139 | $CredentialExport.Password = ConvertFrom-PKISecureString -SecureString $Credential.Password -Thumbprint $Thumbprint -Verbose:$Verbose 140 | } 141 | } 142 | elseif ($PSCmdlet.ParameterSetName -eq 'CertFile') 143 | { 144 | $CredentialExport.Password = ConvertFrom-PKISecureString -SecureString $Credential.Password -CertificateFile $CertificateFile -Verbose:$Verbose 145 | } 146 | 147 | Write-Verbose -Message "Saving Credential to $Path" 148 | $CredentialExport | ConvertTo-Json | Out-File $Path 149 | } 150 | } 151 | -------------------------------------------------------------------------------- /Functions/Import-PSCredential.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Retrieves and decrypts an exported PowerShell Credential from file or Azure KeyVault back into a PSCredential object. 4 | 5 | .DESCRIPTION 6 | Import-PSCredential is used to retrieve a previously saved PowerShell Credential object from disk 7 | or from Azure KeyVault and returns a PowerShell Credential object [System.Management.Automation.PSCredential] that can be used within scripts and 8 | Desired State Configurations. When retrieving from disk, the method used to encrypt the credential must be used to decrypt the credential. 9 | 10 | .PARAMETER Path 11 | Path to the JSON file that contains the encrypted credential. 12 | 13 | .PARAMETER SecureKey 14 | The SecureString that was used as a Pre-Shared-Key for encrypting the credential password. 15 | 16 | .PARAMETER Thumbprint 17 | The Thumbprint of the certificate on the local computer that contains the private key of the certificate used to encrypt the credential password. 18 | 19 | .PARAMETER CertificateStore 20 | Specifies the certifcate store of the specified certificate thumbprint. Either LocalMachine or CurrentUser. 21 | 22 | .PARAMETER KeyVault 23 | The name of the Azure KeyVault that will that contains the exported credential secret. 24 | 25 | .PARAMETER SecretName 26 | The name of the Azure KeyVault secret that contains the exported credential. 27 | 28 | .EXAMPLE 29 | $Credential = Import-PSCredential -Path ./savedcredential.json -SecureKey ( Convertto-SecureString -String '$ecretK3y' -AsPlainText -Force ) 30 | 31 | Import a credential from file using a pre-shared key. 32 | 33 | .EXAMPLE 34 | $Credential = Import-PSCredential -Path ./savedcredential.json -Thumbprint '87BB70A19A7671D389F49AF4C9608B2F381FDD80' 35 | 36 | Import a credential from file using a Certificate. 37 | 38 | .EXAMPLE 39 | $Credential = Import-PSCredential -KeyVault 'My-KeyVault' -SecretName 'SavedCred-Secret' 40 | 41 | Import a credential from an Azure KeyVault. The user executing the script must be authenticated to Azure with sufficient permissions to the KeyVault. 42 | #> 43 | function Import-PSCredential 44 | { 45 | [CmdletBinding()] 46 | param 47 | ( 48 | [Parameter(Mandatory = $true, ParameterSetName = "LocalKey", Position = 1)] 49 | [Parameter(Mandatory = $true, ParameterSetName = "CertificateThumbprint", Position = 1)] 50 | [System.String] 51 | $Path, 52 | 53 | [Parameter(Mandatory = $true, ParameterSetName = "LocalKey")] 54 | [System.Security.SecureString] 55 | $SecureKey, 56 | 57 | [Parameter(Mandatory = $true, ParameterSetName = "CertificateThumbprint")] 58 | [ValidateNotNullorEmpty()] 59 | [System.String]$Thumbprint, 60 | 61 | [Parameter(Mandatory = $false, ParameterSetName = "CertificateThumbprint")] 62 | [ValidateSet("LocalMachine", "CurrentUser")] 63 | [System.String] 64 | $CertificateStore, 65 | 66 | [Parameter(Mandatory = $true, ParameterSetName = "KeyVault")] 67 | [System.String] 68 | $KeyVault, 69 | 70 | [Parameter(Mandatory = $true, ParameterSetName = "KeyVault")] 71 | [System.String] 72 | $SecretName 73 | ) 74 | 75 | 76 | if ($PSCmdlet.ParameterSetName -eq 'KeyVault') 77 | { 78 | if ($null -eq $script:AzureKeyVaultModule) 79 | { 80 | throw "Cannot find module Az.KeyVault or AzureRM.KeyVault installed on this system" 81 | } 82 | 83 | try 84 | { 85 | $keyVaultObject = Get-PSCTAzKeyVault -VaultName $keyVault -ErrorAction Stop 86 | } 87 | catch 88 | { 89 | throw "Unable to access KeyVault $KeyVault, ensure that the current session has access to it. Use Add-AzureRmAccount, Login-AzureRmAccount or ConnectAzAccount to establish access for the current session. $($_)" 90 | } 91 | 92 | if ($null -eq $keyVaultObject) 93 | { 94 | throw "Unable to find KeyVault $KeyVault within the current subscription" 95 | } 96 | 97 | Write-Verbose -Message "Reading credential object data from $KeyVault" 98 | $SecretData = Get-PSCTAzKeyVaultSecret -VaultName $KeyVault -Name $SecretName 99 | 100 | if ($null -eq $SecretData) 101 | { 102 | throw "Could not read data from $SecretName in $KeyVault" 103 | } 104 | 105 | $username = ($SecretData.Attributes.Tags).username 106 | if ($null -eq $username) 107 | { 108 | throw "$SecretName does not have a Username tag" 109 | } 110 | 111 | New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList @($username, $SecretData.SecretValue) 112 | 113 | } 114 | elseif ($PSBoundParameters.ContainsKey('Path')) 115 | { 116 | Write-Verbose "Reading credential object data from $Path" 117 | $CredentialImport = Get-Content $Path -Raw | ConvertFrom-Json 118 | 119 | if ($PSCmdlet.ParameterSetName -eq 'LocalKey') 120 | { 121 | $SecureStringPassword = ConvertTo-FIPSsecureString -EncryptedString $CredentialImport.Password -SecureKey $SecureKey -Verbose:$Verbose 122 | } 123 | elseif ($PSCmdlet.ParameterSetName -eq 'CertificateThumbprint') 124 | { 125 | if ($PSBoundParameters.ContainsKey('CertificateStore')) 126 | { 127 | $SecureStringPassword = ConvertTo-PKISecureString -EncryptedString $CredentialImport.Password -Thumbprint $Thumbprint -CertificateStore $CertificateStore 128 | } 129 | 130 | $SecureStringPassword = ConvertTo-PKISecureString -EncryptedString $CredentialImport.Password -Thumbprint $Thumbprint 131 | } 132 | 133 | New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList @(($CredentialImport.UserName), $SecureStringPassword) 134 | } 135 | } 136 | -------------------------------------------------------------------------------- /Functions/New-PSCredential.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Create a new PowerShell Credential object with a random password. Encrypts and saves the Credential object to file or to Azure KeyVault. 4 | 5 | .DESCRIPTION 6 | New-PSCredential is used to create a new PowerShell Credential object [System.Management.Automation.PSCredential] with the provided username and 7 | a strong random password. The resulting credential object is returned as well as saved to disk or to Azure KeyVault so that it can be retrieved later. 8 | When saving to disk, the password is encrypted with either a pre-shared key or PKI certificate. 9 | 10 | .PARAMETER Username 11 | Username to use for the Credential to be created. 12 | 13 | .PARAMETER Path 14 | Path to the JSON file that will be created to save the encrypted credential. 15 | 16 | .PARAMETER SecureKey 17 | A SecureString that is used as a Pre-Shared-Key for encrypting the credential password. 18 | 19 | .PARAMETER Thumbprint 20 | The ThumbPrint of a certificate on the local computer that will be used to encrypt the credential password. 21 | 22 | .PARAMETER CertificateFile 23 | Path to a .CER certificate public key file that will be used to encrypt the credential password. 24 | 25 | .PARAMETER CertificateStore 26 | Specifies the certifcate store of the specified certificate thumbprint. Either LocalMachine or CurrentUser. 27 | 28 | .PARAMETER KeyVault 29 | The name of the Azure KeyVault that will be used to store the exported credential. 30 | 31 | .PARAMETER SecretName 32 | The name of the Azure KeyVault secret to create that will be used to store the exported credential. 33 | 34 | .EXAMPLE 35 | $Credential = New-PSCredential -Username 'svc.SharePoint.farm' -Path ./savedcredential.json -Thumbprint '87BB70A19A7671D389F49AF4C9608B2F381FDD80' 36 | New-ADUser -Name $Credential.Username -AccountPassword $Credential.Password -Enabled:$true 37 | 38 | Creating a credential to be used as a service account, and creating the account. 39 | #> 40 | function New-PSCredential 41 | { 42 | [CmdletBinding()] 43 | param 44 | ( 45 | [Parameter(Mandatory = $true, ParameterSetName="LocalKey",Position=1,ValueFromPipeline=$true)] 46 | [Parameter(Mandatory = $true, ParameterSetName="KeyVault",Position=1,ValueFromPipeline=$true)] 47 | [Parameter(Mandatory = $true, ParameterSetName="CertificateThumbprint",Position=1,ValueFromPipeline=$true)] 48 | [Parameter(Mandatory = $true, ParameterSetName="CertFile",Position=1,ValueFromPipeline=$true)] 49 | [System.String] 50 | $Username, 51 | 52 | [Parameter(Mandatory = $true, ParameterSetName="LocalKey",Position=2)] 53 | [Parameter(Mandatory = $true, ParameterSetName="CertificateThumbprint",Position=2)] 54 | [Parameter(Mandatory = $true, ParameterSetName="CertFile",Position=2)] 55 | [ValidateNotNullorEmpty()] 56 | [System.String] 57 | $Path, 58 | 59 | [Parameter(Mandatory = $true, ParameterSetName="LocalKey")] 60 | [ValidateNotNullorEmpty()] 61 | [System.Security.SecureString] 62 | $SecureKey, 63 | 64 | [Parameter(Mandatory = $true, ParameterSetName="CertificateThumbprint")] 65 | [ValidateNotNullorEmpty()] 66 | [System.String] 67 | $Thumbprint, 68 | 69 | [Parameter(Mandatory = $true, ParameterSetName="CertFile",Position=1,ValueFromPipeline=$true)] 70 | [ValidateScript({test-path $_})] 71 | [System.String] 72 | $CertificateFile, 73 | 74 | [Parameter(Mandatory = $false, ParameterSetName="CertificateThumbprint")] 75 | [ValidateSet("LocalMachine","CurrentUser")] 76 | [System.String] 77 | $CertificateStore, 78 | 79 | [Parameter(Mandatory = $true, ParameterSetName="KeyVault")] 80 | [System.String] 81 | $KeyVault, 82 | 83 | [Parameter(Mandatory = $true, ParameterSetName="KeyVault")] 84 | [System.String] 85 | $SecretName 86 | ) 87 | 88 | $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList @($Username, (ConvertTo-SecureString -String (New-Password) -AsPlainText -Force) ) 89 | 90 | $PSBoundParameters.Remove('Username') | Out-Null 91 | $ExportParameters = $PSBoundParameters 92 | $ExportParameters.Add('Credential',$Credential) 93 | 94 | Export-PSCredential @ExportParameters | Out-Null 95 | 96 | return $Credential 97 | } 98 | -------------------------------------------------------------------------------- /Functions/New-Password.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Generates a new password. 4 | 5 | .DESCRIPTION 6 | Creates a new randomly generated password which adhears to strong password standards. 7 | 8 | .PARAMETER Length 9 | The number of characters the password will contain. 10 | 11 | .EXAMPLE 12 | New-Password 13 | R(9s?.rmX*Z45lP 14 | 15 | .Example 16 | New-Password -Length 24 17 | i7K#9*cKAPvi8a.yS&8U7W) 18 | #> 19 | function New-Password 20 | { 21 | [CmdletBinding()] 22 | param 23 | ( 24 | [Parameter()] 25 | [System.Int16] 26 | $Length = 16 27 | ) 28 | 29 | [Reflection.Assembly]::LoadWithPartialName("System.Web") |out-null 30 | 31 | do 32 | { 33 | $password = [System.Web.Security.Membership]::GeneratePassword($length, 2) 34 | #GeneratePassword method, while likely to meet complexity requirements, is not guaranteed. Check for complexity and try again if needed 35 | 36 | $UpperTest = ([regex]::matches($password, "[A-Z]") | Measure-Object).Count -ge 2 37 | $LowerTest = ([regex]::matches($password, "[a-z]") | Measure-Object).Count -ge 2 38 | $NumberTest = ([regex]::matches($password, "[0-9]") | Measure-Object).Count -ge 2 39 | $SpecialsTest = ([regex]::matches($password, "[^a-zA-Z0-9]") | Measure-Object).Count -ge 2 40 | } until ($UpperTest -and $LowerTest -and $NumberTest -and $SpecialsTest) 41 | 42 | return $password 43 | } 44 | -------------------------------------------------------------------------------- /Functions/Set-AzureCmdlets.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Determines which Azure KeyVault module is available on the system, and sets aliases for use 4 | within the module accordingly 5 | #> 6 | 7 | $script:AzureKeyVaultModule = Get-Module -Name Az.KeyVault -ListAvailable | Select-Object -First 1 8 | if ($null -ne $script:AzureKeyVaultModule) 9 | { 10 | New-Alias -Name 'Get-PSCTAzKeyVault' -Value 'Get-AzKeyVault' -Scope script 11 | New-Alias -Name 'Set-PSCTAzKeyVaultSecret' -Value 'Set-AzKeyVaultSecret' -Scope script 12 | New-Alias -Name 'Get-PSCTAzKeyVaultSecret' -Value 'Get-AzKeyVaultSecret' -Scope script 13 | } 14 | else 15 | { 16 | $AzureKeyVaultModule = Get-Module -Name AzureRM.KeyVault -ListAvailable | Select-Object -First 1 17 | if ($null -ne $script:AzureKeyVaultModule) 18 | { 19 | New-Alias -Name 'Get-PSCTAzKeyVault' -Value 'Get-AzureRmKeyVault' -Scope script 20 | New-Alias -Name 'Set-PSCTAzKeyVaultSecret' -Value 'Set-AzureKeyVaultSecret' -Scope script 21 | New-Alias -Name 'Get-PSCTAzKeyVaultSecret' -Value 'Get-AzureKeyVaultSecret' -Scope script 22 | } 23 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) Microsoft Corporation. All rights reserved. 2 | 3 | MIT License 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /PSCredentialTools.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | # Version number of this module. 3 | ModuleVersion = '1.1.0' 4 | 5 | # ID used to uniquely identify this module 6 | GUID = '89b06e4f-42a4-4d7b-bb59-495e35d0b270' 7 | 8 | # Author of this module 9 | Author = 'Mike Lacher' 10 | 11 | # Company or vendor of this module 12 | CompanyName = 'Microsoft Corporation' 13 | 14 | # Copyright statement for this module 15 | Copyright = '(c) 2018 Microsoft Corporation. All rights reserved' 16 | 17 | # Description of the functionality provided by this module 18 | Description = 'PSCredentialTools provides various methods for securely storing and retrieving credentials used in PowerShell scripts' 19 | 20 | # Minimum version of the Windows PowerShell engine required by this module 21 | PowerShellVersion = '4.0' 22 | 23 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess 24 | NestedModules = @( 25 | 'Functions\Convert-SecureStringTo32ByteKey.ps1' 26 | 'Functions\ConvertFrom-FipsSecureString.ps1' 27 | 'Functions\ConvertFrom-PKISecureString.ps1' 28 | 'Functions\ConvertTo-FIPSSecureString.ps1' 29 | 'Functions\ConvertTo-PKISecureString.ps1' 30 | 'Functions\Export-PSCredential.ps1' 31 | 'Functions\Import-PSCredential.ps1' 32 | 'Functions\New-Password.ps1' 33 | 'Functions\New-PSCredential.ps1' 34 | 'Functions\Set-AzureCmdlets.ps1' 35 | ) 36 | 37 | # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. 38 | FunctionsToExport = @( 39 | 'Export-PSCredential' 40 | 'Import-PSCredential' 41 | 'New-PSCredential' 42 | 'ConvertFrom-FIPSSecureString' 43 | 'ConvertTo-FIPSSecureString' 44 | 'ConvertTo-PKISecureString' 45 | 'ConvertFrom-PKISecureString' 46 | ) 47 | 48 | # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. 49 | CmdletsToExport = @() 50 | 51 | # Variables to export from this module 52 | VariablesToExport = '*' 53 | 54 | # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. 55 | AliasesToExport = @() 56 | 57 | # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. 58 | PrivateData = @{ 59 | 60 | PSData = @{ 61 | 62 | # Tags applied to this module. These help with module discovery in online galleries. 63 | Tags = @('Credential', 'PowerShell') 64 | 65 | # A URL to the license for this module. 66 | LicenseUri = 'https://github.com/Microsoft/PSCredentiaTools/blob/master/LICENSE' 67 | 68 | # A URL to the main website for this project. 69 | ProjectUri = 'https://github.com/Microsoft/PSCredentialTools' 70 | 71 | # ReleaseNotes of this module 72 | ReleaseNotes = 'https://github.com/Microsoft/PSCredentialTools/blob/master/changelog.md' 73 | 74 | } # End of PSData hashtable 75 | 76 | } # End of PrivateData hashtable 77 | } 78 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). 40 | 41 | 42 | -------------------------------------------------------------------------------- /changelog.md: -------------------------------------------------------------------------------- 1 | # Release Notes 2 | 3 | ## 1.1 4 | 5 | - Use .NET GeneratePassword method for random password generation instead of get-random 6 | - Set and use aliases for Azure KeyVault commands based on the module available on the system 7 | - Fixed typos in the module manifest. 8 | - Split the functions into individual files for maintainability. 9 | - Added comment based help to functions which did not have any. 10 | 11 | ## 1.0.1 12 | 13 | - fix New-PSCredential returning more than the Credential object when using KeyVault storage 14 | 15 | ## 1.0 16 | 17 | - Initial release of pscredentialtools 18 | -------------------------------------------------------------------------------- /contributing.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | This project welcomes contributions and suggestions. Most contributions require you to 4 | agree to a Contributor License Agreement (CLA) declaring that you have the right to, 5 | and actually do, grant us the rights to use your contribution. For details, visit 6 | https://cla.microsoft.com. 7 | 8 | When you submit a pull request, a CLA-bot will automatically determine whether you need 9 | to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the 10 | instructions provided by the bot. You will only need to do this once across all repositories using our CLA. 11 | 12 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 13 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) 14 | or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 15 | -------------------------------------------------------------------------------- /docs/ConvertFrom-FIPSSecureString.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: 3 | Module Name: PSCredentialTools 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # ConvertFrom-FIPSSecureString 9 | 10 | ## SYNOPSIS 11 | Converts a SecureString object into encrypted text with a FIPS compliant algorithm using a pre-shared key. 12 | The Pre-Shared key can be provided as either a 32 byte array or a SecureString value. 13 | 14 | ## SYNTAX 15 | 16 | ### SecureKey 17 | ``` 18 | ConvertFrom-FIPSSecureString [-SecureString] -SecureKey [] 19 | ``` 20 | 21 | ### KeyByte 22 | ``` 23 | ConvertFrom-FIPSSecureString [-SecureString] -Key [] 24 | ``` 25 | 26 | ## DESCRIPTION 27 | {{Fill in the Description}} 28 | 29 | ## EXAMPLES 30 | 31 | ### EXAMPLE 1 32 | ``` 33 | ConvertFrom-FIPSSecureString -SecureString $MySecretValue -SecureKey ( ConvertTo-SecureString -String 'Pr3$haredK3y' -AsPlainText -Force ) | Out-File ./encryptedText.txt 34 | ``` 35 | 36 | Encrypts a SecureString object and saves it to disk. 37 | 38 | ## PARAMETERS 39 | 40 | ### -SecureString 41 | The SecureString object that will returned as an encrypted string. 42 | 43 | ```yaml 44 | Type: SecureString 45 | Parameter Sets: (All) 46 | Aliases: 47 | 48 | Required: True 49 | Position: 2 50 | Default value: None 51 | Accept pipeline input: True (ByValue) 52 | Accept wildcard characters: False 53 | ``` 54 | 55 | ### -Key 56 | An array of 32 bytes that will be used as a the pre-shared key for encryption. 57 | 58 | ```yaml 59 | Type: Byte[] 60 | Parameter Sets: KeyByte 61 | Aliases: 62 | 63 | Required: True 64 | Position: Named 65 | Default value: None 66 | Accept pipeline input: False 67 | Accept wildcard characters: False 68 | ``` 69 | 70 | ### -SecureKey 71 | A SecureString that will be converted into a 32 byte array used as the pre-shared key for encryption. 72 | 73 | ```yaml 74 | Type: SecureString 75 | Parameter Sets: SecureKey 76 | Aliases: 77 | 78 | Required: True 79 | Position: Named 80 | Default value: None 81 | Accept pipeline input: False 82 | Accept wildcard characters: False 83 | ``` 84 | 85 | ### CommonParameters 86 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 87 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 88 | 89 | ## INPUTS 90 | 91 | ## OUTPUTS 92 | 93 | ## NOTES 94 | 95 | ## RELATED LINKS 96 | -------------------------------------------------------------------------------- /docs/ConvertFrom-PKISecureString.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: 3 | Module Name: PSCredentialTools 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # ConvertFrom-PKISecureString 9 | 10 | ## SYNOPSIS 11 | Converts a SecureString object into encrypted text with the public key of a PKI certificate. 12 | 13 | ## SYNTAX 14 | 15 | ### CertFile 16 | ``` 17 | ConvertFrom-PKISecureString [-SecureString] -CertificateFile [] 18 | ``` 19 | 20 | ### Thumbprint 21 | ``` 22 | ConvertFrom-PKISecureString [-SecureString] -Thumbprint [-CertificateStore ] 23 | [] 24 | ``` 25 | 26 | ## DESCRIPTION 27 | {{Fill in the Description}} 28 | 29 | ## EXAMPLES 30 | 31 | ### EXAMPLE 1 32 | ``` 33 | ConvertFrom-PKISecureString -SecureString $MySecretValue -Thumbprint '87BB70A19A7671D389F49AF4C9608B2F381FDD80' | Out-File ./encryptedText.txt 34 | ``` 35 | 36 | Encrypts a SecureString object and saves it to disk. 37 | 38 | ## PARAMETERS 39 | 40 | ### -SecureString 41 | The SecureString object that will returned as an encrypted string. 42 | 43 | ```yaml 44 | Type: SecureString 45 | Parameter Sets: (All) 46 | Aliases: 47 | 48 | Required: True 49 | Position: 2 50 | Default value: None 51 | Accept pipeline input: True (ByValue) 52 | Accept wildcard characters: False 53 | ``` 54 | 55 | ### -Thumbprint 56 | The ThumbPrint of a certificate on the local computer that will be used to encrypt the string. 57 | 58 | ```yaml 59 | Type: String 60 | Parameter Sets: Thumbprint 61 | Aliases: 62 | 63 | Required: True 64 | Position: Named 65 | Default value: None 66 | Accept pipeline input: False 67 | Accept wildcard characters: False 68 | ``` 69 | 70 | ### -CertificateFile 71 | Path to a .CER certificate public key file that will be used to encrypt the string. 72 | 73 | ```yaml 74 | Type: String 75 | Parameter Sets: CertFile 76 | Aliases: 77 | 78 | Required: True 79 | Position: Named 80 | Default value: None 81 | Accept pipeline input: False 82 | Accept wildcard characters: False 83 | ``` 84 | 85 | ### -CertificateStore 86 | Specifies the certifcate store of the specified certificate thumbprint. 87 | Either LocalMachine or CurrentUser. 88 | 89 | ```yaml 90 | Type: String 91 | Parameter Sets: Thumbprint 92 | Aliases: 93 | 94 | Required: False 95 | Position: Named 96 | Default value: None 97 | Accept pipeline input: False 98 | Accept wildcard characters: False 99 | ``` 100 | 101 | ### CommonParameters 102 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 103 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 104 | 105 | ## INPUTS 106 | 107 | ## OUTPUTS 108 | 109 | ## NOTES 110 | 111 | ## RELATED LINKS 112 | -------------------------------------------------------------------------------- /docs/ConvertTo-FIPSSecureString.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: 3 | Module Name: PSCredentialTools 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # ConvertTo-FIPSSecureString 9 | 10 | ## SYNOPSIS 11 | Converts a string of encrypted text back into a SecureString object with a FIPS compliant algorithm using a pre-shared key. 12 | The Pre-Shared key can be provided as either a 32 byte array or a SecureString value. 13 | 14 | ## SYNTAX 15 | 16 | ### SecureKey 17 | ``` 18 | ConvertTo-FIPSSecureString [-EncryptedString] -SecureKey [] 19 | ``` 20 | 21 | ### KeyByte 22 | ``` 23 | ConvertTo-FIPSSecureString [-EncryptedString] -Key [] 24 | ``` 25 | 26 | ## DESCRIPTION 27 | {{Fill in the Description}} 28 | 29 | ## EXAMPLES 30 | 31 | ### EXAMPLE 1 32 | ``` 33 | $EncryptedText = Get-Content ./encryptedText.txt 34 | ``` 35 | 36 | $MySecret = ConvertTo-FIPSSecureString -EncryptedString $EncryptedText -SecureKey ( ConvertTo-SecureString -String 'Pr3$haredK3y' -AsPlainText -Force ) 37 | 38 | ## PARAMETERS 39 | 40 | ### -EncryptedString 41 | The string of encrypted text to convert back into a SecureString object 42 | 43 | ```yaml 44 | Type: String 45 | Parameter Sets: (All) 46 | Aliases: 47 | 48 | Required: True 49 | Position: 2 50 | Default value: None 51 | Accept pipeline input: True (ByValue) 52 | Accept wildcard characters: False 53 | ``` 54 | 55 | ### -Key 56 | An array of 32 bytes that will be used as a the pre-shared key for decryption. 57 | 58 | ```yaml 59 | Type: Byte[] 60 | Parameter Sets: KeyByte 61 | Aliases: 62 | 63 | Required: True 64 | Position: Named 65 | Default value: None 66 | Accept pipeline input: False 67 | Accept wildcard characters: False 68 | ``` 69 | 70 | ### -SecureKey 71 | A SecureString that will be converted into a 32 byte array used as the pre-shared key for decryption. 72 | 73 | ```yaml 74 | Type: SecureString 75 | Parameter Sets: SecureKey 76 | Aliases: 77 | 78 | Required: True 79 | Position: Named 80 | Default value: None 81 | Accept pipeline input: False 82 | Accept wildcard characters: False 83 | ``` 84 | 85 | ### CommonParameters 86 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 87 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 88 | 89 | ## INPUTS 90 | 91 | ## OUTPUTS 92 | 93 | ## NOTES 94 | 95 | ## RELATED LINKS 96 | -------------------------------------------------------------------------------- /docs/ConvertTo-PKISecureString.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: 3 | Module Name: PSCredentialTools 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # ConvertTo-PKISecureString 9 | 10 | ## SYNOPSIS 11 | Converts a string of encrypted text back into a SecureString object with the private key of a PKI certificate. 12 | 13 | ## SYNTAX 14 | 15 | ``` 16 | ConvertTo-PKISecureString [-EncryptedString] -Thumbprint [-CertificateStore ] 17 | [] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | {{Fill in the Description}} 22 | 23 | ## EXAMPLES 24 | 25 | ### EXAMPLE 1 26 | ``` 27 | $EncryptedText = Get-Content ./encryptedText.txt 28 | ``` 29 | 30 | $MySecretValue = ConvertTo-PKISecureString -EncryptedString $EncryptedValue -Thumbprint '87BB70A19A7671D389F49AF4C9608B2F381FDD80' 31 | 32 | Reads an encrypted string from disk and decrypts it back into a SecureString. 33 | 34 | ## PARAMETERS 35 | 36 | ### -EncryptedString 37 | The string of encrypted text to convert back into a SecureString object 38 | 39 | ```yaml 40 | Type: String 41 | Parameter Sets: (All) 42 | Aliases: 43 | 44 | Required: True 45 | Position: 2 46 | Default value: None 47 | Accept pipeline input: True (ByValue) 48 | Accept wildcard characters: False 49 | ``` 50 | 51 | ### -Thumbprint 52 | The ThumbPrint of a certificate on the local computer that will be used to decrypt the string. 53 | 54 | ```yaml 55 | Type: String 56 | Parameter Sets: (All) 57 | Aliases: 58 | 59 | Required: True 60 | Position: Named 61 | Default value: None 62 | Accept pipeline input: False 63 | Accept wildcard characters: False 64 | ``` 65 | 66 | ### -CertificateStore 67 | Specifies the certifcate store of the specified certificate thumbprint. 68 | Either LocalMachine or CurrentUser. 69 | 70 | ```yaml 71 | Type: String 72 | Parameter Sets: (All) 73 | Aliases: 74 | 75 | Required: False 76 | Position: Named 77 | Default value: None 78 | Accept pipeline input: False 79 | Accept wildcard characters: False 80 | ``` 81 | 82 | ### CommonParameters 83 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 84 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 85 | 86 | ## INPUTS 87 | 88 | ## OUTPUTS 89 | 90 | ## NOTES 91 | 92 | ## RELATED LINKS 93 | -------------------------------------------------------------------------------- /docs/Export-PSCredential.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: 3 | Module Name: PSCredentialTools 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Export-PSCredential 9 | 10 | ## SYNOPSIS 11 | Encrypts and saves a PowerShell Credential object to file or to Azure KeyVault 12 | 13 | ## SYNTAX 14 | 15 | ### CertFile 16 | ``` 17 | Export-PSCredential [-Credential] [-Path] [-CertificateFile] 18 | [] 19 | ``` 20 | 21 | ### CertificateThumbprint 22 | ``` 23 | Export-PSCredential [-Credential] [-Path] -Thumbprint 24 | [-CertificateStore ] [] 25 | ``` 26 | 27 | ### KeyVault 28 | ``` 29 | Export-PSCredential [-Credential] -KeyVault -SecretName [] 30 | ``` 31 | 32 | ### LocalKey 33 | ``` 34 | Export-PSCredential [-Credential] [-Path] -SecureKey 35 | [] 36 | ``` 37 | 38 | ## DESCRIPTION 39 | Export-PSCredential is used to save a PowerShell Credential object \[System.Management.Automation.PSCredential\] to disk 40 | or to Azure KeyVault so that it can be retrieved later. 41 | When saving to disk, the password is encrypted with either a pre-shared key 42 | or a PKI certificate. 43 | 44 | ## EXAMPLES 45 | 46 | ### EXAMPLE 1 47 | ``` 48 | $Credential | Export-PSCredential -Path ./savedcredential.json -SecureKey ( Convertto-SecureString -String '$ecretK3y' -AsPlainText -Force) 49 | ``` 50 | 51 | Export a credential to file using a pre-shared key. 52 | 53 | ### EXAMPLE 2 54 | ``` 55 | $Credential | Export-PSCredential -Path ./savedcredential.json -Thumbprint '87BB70A19A7671D389F49AF4C9608B2F381FDD80' 56 | ``` 57 | 58 | Export a credential to file using a Certificate. 59 | 60 | ### EXAMPLE 3 61 | ``` 62 | $Credential | Export-PSCredential -KeyVault 'My-KeyVault' -SecretName 'SavedCred-Secret' 63 | ``` 64 | 65 | Export a credential to an existing Azure KeyVault. 66 | The user executing the script must be authenticated to Azure with sufficient permissions to the KeyVault. 67 | 68 | ## PARAMETERS 69 | 70 | ### -Credential 71 | The Credential object that will be exported. 72 | 73 | ```yaml 74 | Type: PSCredential 75 | Parameter Sets: (All) 76 | Aliases: 77 | 78 | Required: True 79 | Position: 2 80 | Default value: None 81 | Accept pipeline input: True (ByValue) 82 | Accept wildcard characters: False 83 | ``` 84 | 85 | ### -Path 86 | Path to the JSON file that will be created to save the encrypted credential. 87 | 88 | ```yaml 89 | Type: String 90 | Parameter Sets: CertFile, CertificateThumbprint, LocalKey 91 | Aliases: 92 | 93 | Required: True 94 | Position: 3 95 | Default value: None 96 | Accept pipeline input: False 97 | Accept wildcard characters: False 98 | ``` 99 | 100 | ### -SecureKey 101 | A SecureString that is used as a Pre-Shared-Key for encrypting the credential password. 102 | 103 | ```yaml 104 | Type: SecureString 105 | Parameter Sets: LocalKey 106 | Aliases: 107 | 108 | Required: True 109 | Position: Named 110 | Default value: None 111 | Accept pipeline input: False 112 | Accept wildcard characters: False 113 | ``` 114 | 115 | ### -Thumbprint 116 | The ThumbPrint of a certificate on the local computer that will be used to encrypt the credential password. 117 | 118 | ```yaml 119 | Type: String 120 | Parameter Sets: CertificateThumbprint 121 | Aliases: 122 | 123 | Required: True 124 | Position: Named 125 | Default value: None 126 | Accept pipeline input: False 127 | Accept wildcard characters: False 128 | ``` 129 | 130 | ### -CertificateFile 131 | Path to a .CER certificate public key file that will be used to encrypt the credential password. 132 | 133 | ```yaml 134 | Type: String 135 | Parameter Sets: CertFile 136 | Aliases: 137 | 138 | Required: True 139 | Position: 2 140 | Default value: None 141 | Accept pipeline input: True (ByValue) 142 | Accept wildcard characters: False 143 | ``` 144 | 145 | ### -CertificateStore 146 | Specifies the certifcate store of the specified certificate thumbprint. 147 | Either LocalMachine or CurrentUser. 148 | 149 | ```yaml 150 | Type: String 151 | Parameter Sets: CertificateThumbprint 152 | Aliases: 153 | 154 | Required: False 155 | Position: Named 156 | Default value: None 157 | Accept pipeline input: False 158 | Accept wildcard characters: False 159 | ``` 160 | 161 | ### -KeyVault 162 | The name of the Azure KeyVault that will be used to store the exported credential. 163 | 164 | ```yaml 165 | Type: String 166 | Parameter Sets: KeyVault 167 | Aliases: 168 | 169 | Required: True 170 | Position: Named 171 | Default value: None 172 | Accept pipeline input: False 173 | Accept wildcard characters: False 174 | ``` 175 | 176 | ### -SecretName 177 | The name of the Azure KeyVault secret to create that will be used to store the exported credential. 178 | 179 | ```yaml 180 | Type: String 181 | Parameter Sets: KeyVault 182 | Aliases: 183 | 184 | Required: True 185 | Position: Named 186 | Default value: None 187 | Accept pipeline input: False 188 | Accept wildcard characters: False 189 | ``` 190 | 191 | ### CommonParameters 192 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 193 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 194 | 195 | ## INPUTS 196 | 197 | ## OUTPUTS 198 | 199 | ## NOTES 200 | 201 | ## RELATED LINKS 202 | -------------------------------------------------------------------------------- /docs/Import-PSCredential.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: 3 | Module Name: PSCredentialTools 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # Import-PSCredential 9 | 10 | ## SYNOPSIS 11 | Retrieves and decrypts an exported PowerShell Credential from file or Azure KeyVault back into a PSCredential object. 12 | 13 | ## SYNTAX 14 | 15 | ### CertificateThumbprint 16 | ``` 17 | Import-PSCredential [-Path] -Thumbprint [-CertificateStore ] [] 18 | ``` 19 | 20 | ### LocalKey 21 | ``` 22 | Import-PSCredential [-Path] -SecureKey [] 23 | ``` 24 | 25 | ### KeyVault 26 | ``` 27 | Import-PSCredential -KeyVault -SecretName [] 28 | ``` 29 | 30 | ## DESCRIPTION 31 | Import-PSCredential is used to retrieve a previously saved PowerShell Credential object from disk 32 | or from Azure KeyVault and returns a PowerShell Credential object \[System.Management.Automation.PSCredential\] that can be used within scripts and 33 | Desired State Configurations. 34 | When retrieving from disk, the method used to encrypt the credential must be used to decrypt the credential. 35 | 36 | ## EXAMPLES 37 | 38 | ### EXAMPLE 1 39 | ``` 40 | $Credential = Import-PSCredential -Path ./savedcredential.json -SecureKey ( Convertto-SecureString -String '$ecretK3y' -AsPlainText -Force ) 41 | ``` 42 | 43 | Import a credential from file using a pre-shared key. 44 | 45 | ### EXAMPLE 2 46 | ``` 47 | $Credential = Import-PSCredential -Path ./savedcredential.json -Thumbprint '87BB70A19A7671D389F49AF4C9608B2F381FDD80' 48 | ``` 49 | 50 | Import a credential from file using a Certificate. 51 | 52 | ### EXAMPLE 3 53 | ``` 54 | $Credential = Import-PSCredential -KeyVault 'My-KeyVault' -SecretName 'SavedCred-Secret' 55 | ``` 56 | 57 | Import a credential from an Azure KeyVault. 58 | The user executing the script must be authenticated to Azure with sufficient permissions to the KeyVault. 59 | 60 | ## PARAMETERS 61 | 62 | ### -Path 63 | Path to the JSON file that contains the encrypted credential. 64 | 65 | ```yaml 66 | Type: String 67 | Parameter Sets: CertificateThumbprint, LocalKey 68 | Aliases: 69 | 70 | Required: True 71 | Position: 2 72 | Default value: None 73 | Accept pipeline input: False 74 | Accept wildcard characters: False 75 | ``` 76 | 77 | ### -SecureKey 78 | The SecureString that was used as a Pre-Shared-Key for encrypting the credential password. 79 | 80 | ```yaml 81 | Type: SecureString 82 | Parameter Sets: LocalKey 83 | Aliases: 84 | 85 | Required: True 86 | Position: Named 87 | Default value: None 88 | Accept pipeline input: False 89 | Accept wildcard characters: False 90 | ``` 91 | 92 | ### -Thumbprint 93 | The Thumbprint of the certificate on the local computer that contains the private key of the certificate used to encrypt the credential password. 94 | 95 | ```yaml 96 | Type: String 97 | Parameter Sets: CertificateThumbprint 98 | Aliases: 99 | 100 | Required: True 101 | Position: Named 102 | Default value: None 103 | Accept pipeline input: False 104 | Accept wildcard characters: False 105 | ``` 106 | 107 | ### -CertificateStore 108 | Specifies the certifcate store of the specified certificate thumbprint. 109 | Either LocalMachine or CurrentUser. 110 | 111 | ```yaml 112 | Type: String 113 | Parameter Sets: CertificateThumbprint 114 | Aliases: 115 | 116 | Required: False 117 | Position: Named 118 | Default value: None 119 | Accept pipeline input: False 120 | Accept wildcard characters: False 121 | ``` 122 | 123 | ### -KeyVault 124 | The name of the Azure KeyVault that will that contains the exported credential secret. 125 | 126 | ```yaml 127 | Type: String 128 | Parameter Sets: KeyVault 129 | Aliases: 130 | 131 | Required: True 132 | Position: Named 133 | Default value: None 134 | Accept pipeline input: False 135 | Accept wildcard characters: False 136 | ``` 137 | 138 | ### -SecretName 139 | The name of the Azure KeyVault secret that contains the exported credential. 140 | 141 | ```yaml 142 | Type: String 143 | Parameter Sets: KeyVault 144 | Aliases: 145 | 146 | Required: True 147 | Position: Named 148 | Default value: None 149 | Accept pipeline input: False 150 | Accept wildcard characters: False 151 | ``` 152 | 153 | ### CommonParameters 154 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 155 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 156 | 157 | ## INPUTS 158 | 159 | ## OUTPUTS 160 | 161 | ## NOTES 162 | 163 | ## RELATED LINKS 164 | -------------------------------------------------------------------------------- /docs/New-PSCredential.md: -------------------------------------------------------------------------------- 1 | --- 2 | external help file: 3 | Module Name: PSCredentialTools 4 | online version: 5 | schema: 2.0.0 6 | --- 7 | 8 | # New-PSCredential 9 | 10 | ## SYNOPSIS 11 | Create a new PowerShell Credential object with a random password. 12 | Encrypts and saves the Credential object to file or to Azure KeyVault. 13 | 14 | ## SYNTAX 15 | 16 | ### CertFile 17 | ``` 18 | New-PSCredential [-Username] [-Path] [-CertificateFile] [] 19 | ``` 20 | 21 | ### CertificateThumbprint 22 | ``` 23 | New-PSCredential [-Username] [-Path] -Thumbprint [-CertificateStore ] 24 | [] 25 | ``` 26 | 27 | ### KeyVault 28 | ``` 29 | New-PSCredential [-Username] -KeyVault -SecretName [] 30 | ``` 31 | 32 | ### LocalKey 33 | ``` 34 | New-PSCredential [-Username] [-Path] -SecureKey [] 35 | ``` 36 | 37 | ## DESCRIPTION 38 | New-PSCredential is used to create a new PowerShell Credential object \[System.Management.Automation.PSCredential\] with the provided username and 39 | a strong random password. 40 | The resulting credential object is returned as well as saved to disk or to Azure KeyVault so that it can be retrieved later. 41 | When saving to disk, the password is encrypted with either a pre-shared key or PKI certificate. 42 | 43 | ## EXAMPLES 44 | 45 | ### EXAMPLE 1 46 | ``` 47 | $Credential = New-PSCredential -Username 'svc.SharePoint.farm' -Path ./savedcredential.json -Thumbprint '87BB70A19A7671D389F49AF4C9608B2F381FDD80' 48 | ``` 49 | 50 | New-ADUser -Name $Credential.Username -AccountPassword $Credential.Password -Enabled:$true 51 | 52 | Creating a credential to be used as a service account, and creating the account. 53 | 54 | ## PARAMETERS 55 | 56 | ### -Username 57 | Username to use for the Credential to be created. 58 | 59 | ```yaml 60 | Type: String 61 | Parameter Sets: (All) 62 | Aliases: 63 | 64 | Required: True 65 | Position: 2 66 | Default value: None 67 | Accept pipeline input: True (ByValue) 68 | Accept wildcard characters: False 69 | ``` 70 | 71 | ### -Path 72 | Path to the JSON file that will be created to save the encrypted credential. 73 | 74 | ```yaml 75 | Type: String 76 | Parameter Sets: CertFile, CertificateThumbprint, LocalKey 77 | Aliases: 78 | 79 | Required: True 80 | Position: 3 81 | Default value: None 82 | Accept pipeline input: False 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ### -SecureKey 87 | A SecureString that is used as a Pre-Shared-Key for encrypting the credential password. 88 | 89 | ```yaml 90 | Type: SecureString 91 | Parameter Sets: LocalKey 92 | Aliases: 93 | 94 | Required: True 95 | Position: Named 96 | Default value: None 97 | Accept pipeline input: False 98 | Accept wildcard characters: False 99 | ``` 100 | 101 | ### -Thumbprint 102 | The ThumbPrint of a certificate on the local computer that will be used to encrypt the credential password. 103 | 104 | ```yaml 105 | Type: String 106 | Parameter Sets: CertificateThumbprint 107 | Aliases: 108 | 109 | Required: True 110 | Position: Named 111 | Default value: None 112 | Accept pipeline input: False 113 | Accept wildcard characters: False 114 | ``` 115 | 116 | ### -CertificateFile 117 | Path to a .CER certificate public key file that will be used to encrypt the credential password. 118 | 119 | ```yaml 120 | Type: String 121 | Parameter Sets: CertFile 122 | Aliases: 123 | 124 | Required: True 125 | Position: 2 126 | Default value: None 127 | Accept pipeline input: True (ByValue) 128 | Accept wildcard characters: False 129 | ``` 130 | 131 | ### -CertificateStore 132 | Specifies the certifcate store of the specified certificate thumbprint. 133 | Either LocalMachine or CurrentUser. 134 | 135 | ```yaml 136 | Type: String 137 | Parameter Sets: CertificateThumbprint 138 | Aliases: 139 | 140 | Required: False 141 | Position: Named 142 | Default value: None 143 | Accept pipeline input: False 144 | Accept wildcard characters: False 145 | ``` 146 | 147 | ### -KeyVault 148 | The name of the Azure KeyVault that will be used to store the exported credential. 149 | 150 | ```yaml 151 | Type: String 152 | Parameter Sets: KeyVault 153 | Aliases: 154 | 155 | Required: True 156 | Position: Named 157 | Default value: None 158 | Accept pipeline input: False 159 | Accept wildcard characters: False 160 | ``` 161 | 162 | ### -SecretName 163 | The name of the Azure KeyVault secret to create that will be used to store the exported credential. 164 | 165 | ```yaml 166 | Type: String 167 | Parameter Sets: KeyVault 168 | Aliases: 169 | 170 | Required: True 171 | Position: Named 172 | Default value: None 173 | Accept pipeline input: False 174 | Accept wildcard characters: False 175 | ``` 176 | 177 | ### CommonParameters 178 | This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 179 | For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). 180 | 181 | ## INPUTS 182 | 183 | ## OUTPUTS 184 | 185 | ## NOTES 186 | 187 | ## RELATED LINKS 188 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # PSCredentialTools 2 | 3 | PSCredentialTools provides methods for securely generating, storing and retrieving credentials and other sensitive data for use in PowerShell scripts and Desired State Configurations. Credentials can be saved to disk, encrypted with either a pre-shared-key or with a PKI certificate. Credentials can also be stored in Azure KeyVault as an Azure KeyVault Secret. 4 | 5 | ## List of cmdlets 6 | 7 | PSCredentialTools includes the following cmdlets: 8 | 9 | ### PSCredentials cmdlets 10 | 11 | * [Export-PSCredential](docs/Export-PSCredential.md): encrypts and saves a PowerShell Credential object to file or to Azure KeyVault 12 | * [Import-PSCredential](docs/Import-PSCredential.md): decrypts a previously saved Credential back into a PowerShell Credential object 13 | * [New-PSCredential](docs/New-PSCredential.md): creates new PowerShell credential object, with a random strong password, and saves it to an encrypted file or to Azure KeyVault 14 | 15 | ### Conversion cmdlets 16 | 17 | * [ConvertFrom-FIPSSecureString](docs/ConvertFrom-FIPSSecureString.md): Converts a PowerShell SecureString object into encypted text, using a pre-shared-key. It uses the FIPS compliant AES Crypto Provider. 18 | * [ConvertTo-FIPSSecureString](docs/ConvertTo-FIPSSecureString.md): Converts a previously encrypted SecureString with a pre-shared-key back into a PowerShell SecureString object. 19 | * [ConvertFrom-PKISecureString](docs/ConvertFrom-PKISecureString.md): Converts a PowerShell SecureString object into encrypted text using a provided certificate's Public Key 20 | * [ConvertTo-PKISecureString](docs/ConvertTo-PKISecureString.md): Converts a previously encrypted SecureString back into a PowerShell SecureString object using the provided certificate's Private Key 21 | 22 | ## Contributing 23 | 24 | If you are interested in fixing issues and contributing directly to the code base, please see the document [contributing](contributing.md) guide. 25 | 26 | ## License 27 | 28 | Licensed under the [MIT](LICENSE) License. --------------------------------------------------------------------------------