Unlock SecretManagement.KeePass in a script

JustinGrote / SecretManagement.KeePass

MIT License

116 stars 22 forks source link

Unlock SecretManagement.KeePass in a script #35

Closed user8446 closed 3 years ago

user8446 commented 3 years ago

Hello,

Currently you are unable to use the module in a script (non-interactively). Is it on the roadmap to be able to unlock in scripts? (for example: Unlock-KeePassVault -Password $password).

This is similar issue to: https://github.com/PowerShell/SecretStore/issues/46

Thank you for the talent put into this!

JustinGrote commented 3 years ago

@user8446 There are no plans to support "master key" files in this approach, because then where would you store the master key? Completely defeats the purpose of the secret store.

Instead, for the scripted approach, it is recommended that you use a keyfile-only Keepass vault, and supply the keyfile, either from a protected removable physical medium such as a USB drive, or retrieved from something like Azure Key Vault.

I may consider storing the password in Credential Manager (DPAPI), but I have a completely separate vault for that purpose already, might as well keep the secrets there.

user8446 commented 3 years ago

@JustinGrote Hi my reasoning to get away from credential manager is if the machine or windows user account changes then every. single. credential. will have to be made again. With the KeePass file and only the master password in credential manager, only that master password will have to be made again.

With that setup we are at the exact same level of security as with individual credentials in credential manager so we aren't weakening security.

As a temp workaround in Connect-KeepassDatabase.ps1 I just replaced getting the credentials with $MasterPassword = (Import-Clixml -Path "C:\Users\Path\MyCredentials.xml").Password . The master password is encrypted with DPAPI and now scripts can run.

Thank you again

JustinGrote commented 3 years ago

@user8446 I'll consider adding it and throwing a warning every time :)

user8446 commented 3 years ago

👍

JustinGrote commented 3 years ago

Per the discussion in the other thread, I will add a Unlock-KeePassSecretVault command that will persist the entered master password as a secure string within the module scope, and will persist until the module is reloaded.

user8446 commented 3 years ago

That's great and I'm looking forward to testing when ready. I was going to send you a coffee but didn't find a link.... ☕

JustinGrote commented 3 years ago

@user8446 you can donate to OTAT :) https://www.facebook.com/otatpdx/

user8446 commented 3 years ago

Good cause and done :)