rmbolger
commented
6 years ago With PowerShell Core now in the mix, there's now a wrinkle with this plan. DPAPI isn't supported on anything except Windows. And in the current 6.0.0 release of PowerShell Core, all cmdlets that depend on DPAPI like Export-CliXml throw an ugly error message on non-Windows platforms regarding not being able to load "CRYPT32.dll".
The PowerShell specific issue can be found here: PowerShell/PowerShell#1654 But ultimately, it depends on a closed CoreFX issue here: dotnet/corefx#22510
So basically, non-Windows platforms can't persist secrets with the same level of security as DPAPI provides. So do we try to obfuscate them manually? Just save them as clear text? Disallow saving credentials entirely?
My current preference is to still at least try to obfuscate them and maybe throw a warning that they're not as secure on the affected platforms?
Set-IBWAPIConfigis great for saving connection details in the current Powershell session. But it would be nice if you could optionally save those details in the user's local profile so they are loaded automatically whenever the module is loaded.There are obviously security implications in saving Infoblox credentials to the filesystem. But using something like Export-CliXml that utilizes DPAPI for encryption under the hood might be sufficient protection.