Registering an additional store just creates another reference to the first store

[nahir31]

Steps to reproduce:

1. Register the first store of type Microsoft.PowerShell.SecretStore, name it say MyWallet
2. Create two secrets, e.g., C1 & C2
3. Register another store, also of type Microsoft.PowerShell.SecretStore, e.g., BlackWallet
4. Make a new secret to BlackWallet, say C3
5. You would expect to have a total of 3 secrets: C1, C2 (MyWallet) plus C3 (BlackWallet), but..

PS> Get-SecretInfo

Name Type   VaultName
---- ----   ---------
C1   String MyWallet
C2   String MyWallet
C3   String MyWallet
C1   String BlackWallet
C2   String BlackWallet
C3   String BlackWallet

6. Removing any of the secrets will remove it from both stores/wallets.

[PaulHigin]

This is currently by design for the SecretStore extension vault. It is limited to a single vault for a single user account (-Scope CurrentUser). We plan to enhance it to include a machine wide scope (-Scope AllUsers) at some point, but there would still be just one vault instance for the entire machine.

We can consider supporting multiple vault instances (per user or per machine) in the future. I assume the reason for this would be to store specific types of secrets in different vault instances? Each vault instance would have its own password (if password configuration is selected).

[nahir31]

Alright but in the meantime you should have blocked the possibility to register more than a single vault of the same type.

The current situation might easily lead to a data loss: The user sees what appears to be two different vaults (since they are shown with different names) then he/she might remove secrets from one of these vaults, without realizing that by this they are actually removing the data forever from both.

[PaulHigin]

That is a good point. We currently allow multiple registrations in case an extension vault provides for it. But I can see how this leads to confusion. I think we can solve this problem by having extension vaults indicate whether they support multiple registration, and if not then emit an error.

[PaulHigin]

I'll create an issue in Microsoft.PowerShell.SecretManagement for this.

https://github.com/PowerShell/SecretManagement/issues/167#issue-942418437

[robinmalik]

I also hit this issue (I was discussing with colleagues how we might utilise the SecretStore module for automation and configuring a vault per internal technical service). We'll use a single vault for now.