Closed user8446 closed 3 years ago
@user8446 There are no plans to support "master key" files in this approach, because then where would you store the master key? Completely defeats the purpose of the secret store.
Instead, for the scripted approach, it is recommended that you use a keyfile-only Keepass vault, and supply the keyfile, either from a protected removable physical medium such as a USB drive, or retrieved from something like Azure Key Vault.
I may consider storing the password in Credential Manager (DPAPI), but I have a completely separate vault for that purpose already, might as well keep the secrets there.
@JustinGrote Hi my reasoning to get away from credential manager is if the machine or windows user account changes then every. single. credential. will have to be made again. With the KeePass file and only the master password in credential manager, only that master password will have to be made again.
With that setup we are at the exact same level of security as with individual credentials in credential manager so we aren't weakening security.
As a temp workaround in Connect-KeepassDatabase.ps1
I just replaced getting the credentials with $MasterPassword = (Import-Clixml -Path "C:\Users\Path\MyCredentials.xml").Password
. The master password is encrypted with DPAPI and now scripts can run.
Thank you again
@user8446 I'll consider adding it and throwing a warning every time :)
👍
Per the discussion in the other thread, I will add a Unlock-KeePassSecretVault command that will persist the entered master password as a secure string within the module scope, and will persist until the module is reloaded.
That's great and I'm looking forward to testing when ready. I was going to send you a coffee but didn't find a link.... ☕
@user8446 you can donate to OTAT :) https://www.facebook.com/otatpdx/
Good cause and done :)
Hello,
Currently you are unable to use the module in a script (non-interactively). Is it on the roadmap to be able to unlock in scripts? (for example:
Unlock-KeePassVault -Password $password
).This is similar issue to: https://github.com/PowerShell/SecretStore/issues/46
Thank you for the talent put into this!