PowerShell / SecretStore

MIT License
158 stars 24 forks source link

Unable to register SecretStore without supplying a password #84

Closed chadbaldwin closed 3 years ago

chadbaldwin commented 3 years ago

I'm having trouble figuring out how to register the SecretStore without a password from the beginning. AKA, you never have to provide a password at all. I can't tell if I'm doing something wrong, misunderstanding how it works, or if this is a bug?

Here's what I'm trying:

Install the modules:

Install-Module Microsoft.PowerShell.SecretManagement, Microsoft.PowerShell.SecretStore

Register a new SecretVault using the SecretStore module as the default:

Register-SecretVault -Name SecretStore -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault

Now here is where I run into issues...

If I try this:

Set-SecretStoreConfiguration -Interaction None -Authentication None

I end up with this:

PS C:\> Set-SecretStoreConfiguration -Interaction None -Authentication None

Confirm
Are you sure you want to perform this action?
Performing the operation "Changes local store configuration" on target "SecretStore module local store".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
Vault Microsoft.PowerShell.SecretStore requires a password.
Enter password:
****
A password is no longer required for the local store configuration.
To complete the change please provide the current password.
Enter password:
****
PS C:\>

I can't tell if I'm doing something wrong? It doesn't make sense for it to ask me for a password if I say it doesn't need one, and then ask me to provide the same password to remove it.

If it's not a bug, then the only thing I can think of is that it's still using the password behind the scenes for the encryption/decryption process, and the setting Authentication is more about usage of the vault, but the password itself is still used for encryption/decryption.


I also tried passing in default registration parameters to Register-SecretVault like this:

-VaultParameters @{Authentication='None'; Interaction='None'}

And it still required a password, in fact, it didn't even apply the settings after registration, it seems to ignore them completely:

PS C:\> Register-SecretVault -ModuleName Microsoft.PowerShell.SecretStore -Name SecretStore `
            -VaultParameters @{Authentication='None'; Interaction='None'} -DefaultVault
PS C:\> Set-Secret -Name Testing -Secret 'Testing123'
Creating a new SecretStore vault. A password is required by the current store configuration.
Enter password:
****
Enter password again for verification:
****
PS C:\> Get-SecretStoreConfiguration

      Scope Authentication PasswordTimeout Interaction
      ----- -------------- --------------- -----------
CurrentUser       Password             900      Prompt

PS C:\>
PaulHigin commented 3 years ago

This is kind of a chicken and egg thing. SecretStore needs a configuration when loaded and it will default to the interactive password required configuration by default.

You can avoid this by running Set-SecretStoreConfiguration first thing after installing the module (before you register SecretStore as an extension vault).

Alternatively, you can also use the Reset-SecretStore to force set the configuration. This causes any secret data to be deleted, but since you haven't yet added any secret data, it should be Ok to use.

PS C:\> Register-SecretVault -ModuleName Microsoft.PowerShell.SecretStore -Name SecretStore -DefaultVault

PS C:\> Reset-SecretStore -Authentication None -Interaction None -Force
WARNING: !!This operation completely removes all SecretStore module secrets and resets configuration settings to new values!!

PS C:\> Set-Secret -Name Testing -Secret 'Testing123'

PS C:\> Get-SecretInfo

Name    Type   VaultName
----    ----   ---------
Testing String SecretStore

PS C:\> Get-Secret -Name Testing -AsPlainText
Testing123
chadbaldwin commented 3 years ago

@PaulHigin, thanks! that appears to work for me.

I would think that when the vault is initially configured it would splat the parameters from -VaultParameters and use those as the new defaults. It seems odd that in your example, the "Authentication" and "Interaction" parameters are specified twice.

PaulHigin commented 3 years ago

Whoops, I just copied/pasted. There is no need to pass Authentication/Interaction as vault parameters, as SecretStore does not currently handle them.

chadbaldwin commented 3 years ago

@PaulHigin Ah! Okay, that completely clears that up then. Thanks! I guess since this isn't a bug, and it's intentional (though I'd admit a bit of an odd workflow) I'll close with comment. Thanks!