Currently, SecretStore does not work for Windows built-in accounts because there is no user LOCALAPPDATA location needed to store files. But the error message is hidden in a type initializer error.

This condition needs to be detected and an appropriate error displayed.

Installed both SecretManagement and SecretStore from an elevated prompt. Then registered two SecretStore vaults, one under and Administrator scope via the elevated prompt, and one as a normal user scope. When attempting to Set-Secret as the normal user, the exception is :

PS C:\Users\Me> Set-Secret -Name MySecret Secret "TestSecret"
Exception calling "GetInstance" with "0" argument(s): "The type initializer for
'Microsoft.PowerShell.SecretStore.SecureStoreFile' threw an exception."
At C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.SecretStore\0.5.2\Microsoft.PowerShell.SecretStore.E
xtension\Microsoft.PowerShell.SecretStore.Extension.psm1:123 char:17
+ ...         if ([Microsoft.PowerShell.SecretStore.LocalSecretStore]::GetI ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : TypeInitializationException

Exception calling "GetInstance" with "0" argument(s): "The type initializer for
'Microsoft.PowerShell.SecretStore.SecureStoreFile' threw an exception."
At C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.SecretStore\0.5.2\Microsoft.PowerShell.SecretStore.E
xtension\Microsoft.PowerShell.SecretStore.Extension.psm1:123 char:17
+ ...         if ([Microsoft.PowerShell.SecretStore.LocalSecretStore]::GetI ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : TypeInitializationException

Even running Get-SecretStoreConfiguration under the normal user scope results in:

PS C:\Users\Me> Get-SecretStoreConfiguration
Get-SecretStoreConfiguration : The type initializer for 'Microsoft.PowerShell.SecretStore.SecureStoreFile' threw an
exception.
At line:1 char:1
+ Get-SecretStoreConfiguration
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-SecretStoreConfiguration], TypeInitializationException
    + FullyQualifiedErrorId : System.TypeInitializationException,Microsoft.PowerShell.SecretStore.GetSecretStoreConfig
   uration

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest released version
• Search the existing issues.

Steps to reproduce

Register-SecretVault -Name SecretStore -ModuleName Microsoft.Powershell.SecretStore -DefaultVault -AllowClobber
Set-SecretStoreConfiguration -Scope CurrentUser -Authentication None -PasswordTimeout 0 -Confirm:$false

Module Microsoft.PowerShell.SecretStore Version: 1.0.6
Module Microsoft.PowerShell.SecretManagement Version: 1.1.2

Under Windows works fine!

Expected behavior

Vault Microsoft.PowerShell.SecretStore requires no password.

Actual behavior

Vault Microsoft.PowerShell.SecretStore requires a password.

Error details

If password entered:

Set-SecretStoreConfiguration: Store file integrity check failed.
The provided password may be invalid, or store files have become corrupted or have been tampered with.

Environment data

Name                           Value
----                           -----
PSVersion                      7.2.6
PSEdition                      Core
GitCommitId                    7.2.6
OS                             Linux 5.4.0-124-generic #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 2022
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Version

1.0

Visuals

No response

In order to set PasswordRequired to false requires using the unintuitive syntax for switch parameters of -PasswordRequired:$false. Can this parameter be updated to use two different switches as described in #20? Most beginner/immediate PowerShell users won't know that the -PasswordRequired:$false syntax exists. The other issue comes if NoPasswordRequired is used then a double negative has to be use to get the default value -NoPasswordRequired:$false causing user confusion.

PS C:\> Set-SecretStoreConfiguration -PasswordRequired

Confirm
Are you sure you want to perform this action?
Performing the operation "Changes local store configuration" on target "SecretStore module local store".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

      Scope PasswordRequired PasswordTimeout DoNotPrompt
      ----- ---------------- --------------- -----------
CurrentUser             True             900       False

PS C:\> Set-SecretStoreConfiguration -PasswordRequired:$false

Confirm
Are you sure you want to perform this action?
Performing the operation "Changes local store configuration" on target "SecretStore module local store".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
Vault Microsoft.PowerShell.SecretStore requires a password.
Enter password:
****
A password is no longer required for the local store configuration.
To complete the change please provide the current password.
Enter password:
****

      Scope PasswordRequired PasswordTimeout DoNotPrompt
      ----- ---------------- --------------- -----------
CurrentUser            False             900       False

Hello,
I think this would probably require significant work, but are their any plans to add support multiple different configurations? I'm looking to have a non-default Vault using SecretStore that doesn't have a password to be used as part of a module I'm writing to store API keys.

As far as I can tell, if I were to do this now, my module creating a passwordless configuration would prevent the user from being able to have their own, password-locked separate Vault.

Assuming my understanding of the current configuration is accurate, is support for something like this on the roadmap?

Thanks!

I set up the secret store under a user with PowerShell remoting. However, when running PowerShell under that user, either in a local session or with right clicking on the Windows PowerShell shortcut and choosing run as different user, I'm getting "Padding is invalid and cannot be removed" whatever I do. This also happens the other way around, i.e. when the secret store was set up in a local session and I'm trying to access it in a PowerShell remoting session.

Posted in wrong section

We should add [SupportsWildcards()] to parameters that support wildcards so that the cmdlet helps gets output properly

When utilizing a remote ssh session in VsCode, I am not able to unlock the Secret Store.

Command ran:

Unlock-SecretStore -Password $credSecretStore

The Error given is basic:

The provided password is incorrect for the Microsoft.PowerShell.SecretStore module vault.

However, when I convert my secure string, it is indeed the correct password, and it works to unlock the vault when I am using it logged into the machine via remote desktop using the same account.

Is this a supported situation? I hope it is, since I was excited to use VsCode remote for connecting to my machine and running code on it, however I utilize the SecretStore in almost all of my processes. Appreciate any insight on this!!

I installed both SecretStore and SecretManagement modules and tried to follow the examples in the blog post announcing the release. However, I get the exceptions shown below:

PS Version info:

Name                           Value
----                           -----
PSVersion                      7.1.2
PSEdition                      Core
GitCommitId                    7.1.2
OS                             Microsoft Windows 10.0.19042
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Update-SecretStorePassword changes the password for a vault. However, the Approved Verbs List defines the Update verb as:

Brings a resource up-to-date to maintain its state, accuracy, conformance, or compliance. For example, the Update-FormatData cmdlet updates and adds formatting files to the current PowerShell console.

Its API documentation defines it as:

Update a resource with new elements or refresh from a source of truth

That does not seem to be what Update-SecretStorePassword does. The most obvious correct verb to use for this is Set, which the Approved Verbs List defines as:

Replaces data on an existing resource or creates a resource that contains some data. For example, the Set-Date cmdlet changes the system time on the local computer. (The New verb can also be used to create a resource.) This verb is paired with Get.

If Set seems inappropriate, the other major alternative is Edit, which the Approved Verbs List defines as:

Modifies existing data by adding or removing content.

Its API documentation defines it as:

Performs an in-place modification of a resource.

The Approved Verbs List also notes about Edit:

For this action, do not use verbs such as Change, Update, or Modify.

(Emphasis mine.)

As this is a very new preview module, there should not be support requirements preventing this change. If there are, an alias could be used to prevent breakage.

From issue #61

I have a similar issue, but maybe not, perhaps a different issue?

I can use the modules in pwsh 7.2 but when using update-module or Get-InstalledModule it does not show up (says was not installed using Install-Module)

The module does show up in powershell 5.1 with Get-InstalledModule

I want to update the module, and I'm fairly certain I didn't do any other type of installation for pwsh. What is best course of action to update in pwsh 7.2 (desiring to using the Install-Module method)

Originally posted by @davesbrown in #61 (comment)

Or, a security configuration prevents the operation of a security tool.

On a Secure Admin Workstation or SAW that is configured to run Windows Powershell and/or PowerShell in a Constrained Language mode Microsoft.PowerShell.SecretStore errors.

PS5 C:\Users\user>$ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
PS5 C:\Users\User>Set-Secret -Name 'CORP/User' -Secret (Get-Credential -Credential 'CORP\User') -Vault SecretStoreWPS
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At line:10 char:13
+             $module = Get-Module -Name ([System.IO.Path]::GetFileName ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage

Cannot use '&' or '.' operators to invoke a module scope command across language boundaries.
At line:18 char:13
+             & $module "$ImplementingModuleName\$Command" @Params
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : CantInvokeCallOperatorAcrossLanguageBoundaries

PS7 C:\Users\User>$ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
PS7 C:\Users\scsurber>Set-Secret -Name 'CORP/User' -Secret (Get-Credential -Credential 'CORP\User')

PowerShell credential request
Enter your credentials.
Password for user CORP\User: **********

InvalidOperation:
Line |
  10 |              $module = Get-Module -Name ([System.IO.Path]::GetFileName …
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot invoke method. Method invocation is supported only on core types in this language mode.
InvalidOperation:
Line |
  18 |              & $module "$ImplementingModuleName\$Command" @Params
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot use '&' or '.' operators to invoke a module scope command across language boundaries.

Or we update documentation to specify Full Language mode required.

The PrivateData.PSData.ProjectUri entry in the module manifest is what tells the PowerShell Gallery where a module's repository can be found, and is surfaced via a Project Site link in the sidebar on the left:

This entry is currently missing from the manifest (the repo is currently only linked to from the Description key, and that part isn't visible by default).

I have upgraded PowerShell from 7.1.2 to 7.1.3 and noticed local secrets stored might have disappeared.

Is it the expected behavior? What is the right procedure to upgrade PowerShell with local secret store in use?

Thanks.

Hello,
Really like SecretStore and SecretManagement!

Unless I'm missing something, it doesn't appear to be possible to run Set-SecretStoreConfiguration non-interactively. Even if I've already run Unlock-SecretStore, Set-SecretStoreConfiguration still prompts for a password and there doesn't be a parameter to pass said password.

Thanks!

I'm having trouble figuring out how to register the SecretStore without a password from the beginning. AKA, you never have to provide a password at all. I can't tell if I'm doing something wrong, misunderstanding how it works, or if this is a bug?

Here's what I'm trying:

Install the modules:

Install-Module Microsoft.PowerShell.SecretManagement, Microsoft.PowerShell.SecretStore

Register a new SecretVault using the SecretStore module as the default:

Register-SecretVault -Name SecretStore -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault

Now here is where I run into issues...

If I try this:

Set-SecretStoreConfiguration -Interaction None -Authentication None

I end up with this:

PS C:\> Set-SecretStoreConfiguration -Interaction None -Authentication None

Confirm
Are you sure you want to perform this action?
Performing the operation "Changes local store configuration" on target "SecretStore module local store".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
Vault Microsoft.PowerShell.SecretStore requires a password.
Enter password:
****
A password is no longer required for the local store configuration.
To complete the change please provide the current password.
Enter password:
****
PS C:\>

I can't tell if I'm doing something wrong? It doesn't make sense for it to ask me for a password if I say it doesn't need one, and then ask me to provide the same password to remove it.

If it's not a bug, then the only thing I can think of is that it's still using the password behind the scenes for the encryption/decryption process, and the setting Authentication is more about usage of the vault, but the password itself is still used for encryption/decryption.

I also tried passing in default registration parameters to Register-SecretVault like this:

-VaultParameters @{Authentication='None'; Interaction='None'}

And it still required a password, in fact, it didn't even apply the settings after registration, it seems to ignore them completely:

PS C:\> Register-SecretVault -ModuleName Microsoft.PowerShell.SecretStore -Name SecretStore `
            -VaultParameters @{Authentication='None'; Interaction='None'} -DefaultVault
PS C:\> Set-Secret -Name Testing -Secret 'Testing123'
Creating a new SecretStore vault. A password is required by the current store configuration.
Enter password:
****
Enter password again for verification:
****
PS C:\> Get-SecretStoreConfiguration

      Scope Authentication PasswordTimeout Interaction
      ----- -------------- --------------- -----------
CurrentUser       Password             900      Prompt

PS C:\>

Set-SecretStoreConfiguration can be used to set the Interaction level to none from default prompt. However, by default the secret store requires password any configuration retrieval or changes. Therefore setting only the Interaction property of the secret store configuration will result in a lockdown of the store.

PS C:\> Get-SecretStoreConfiguration
Vault Microsoft.PowerShell.SecretStore requires a password.
Enter password:

      Scope Authentication PasswordTimeout Interaction
      ----- -------------- --------------- -----------
CurrentUser       Password             900      Prompt

PS C:\> Set-SecretStoreConfiguration -Interaction None -Verbose

PS C:\> Get-SecretStoreConfiguration
Get-SecretStoreConfiguration : A valid password is required to access the Microsoft.PowerShell.SecretStore vault.
At line:1 char:1
+ Get-SecretStoreConfiguration
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-SecretStoreConfiguration], PasswordRequiredException
    + FullyQualifiedErrorId : Microsoft.PowerShell.SecretManagement.PasswordRequiredException,Microsoft.PowerShell.SecretStor 
   e.GetSecretStoreConfiguration

At this point, the only way to reset the secret store or reset specific configuration. Either results in losing all module secrets as per the warning.

PS C:> Reset-SecretStore -Authentication None
WARNING: !!This operation will completely remove all SecretStore module secrets and reset configuration settings to default values!!

Instead of allowing changing the Interaction property individually, the Set-SecretStoreConfiguration should pair the values of Authentication and Interaction properties.

I don't know if this is a documentation issue or a bug, so I'll ask. I have a vault registered using Microsoft.PowerShell.SecretStore. I then tried to create a second vault.

 Register-SecretVault -Name demo -Description "test vault" -ModuleName microsoft.powershell.secretstore

Get-SecretVault shows it. I have nothing in the vault but if I run Get-SecretInfo, I see all the entries from my default vault, even though the vault name shows the new demo vault. Are we limited to one vault per user of a given module? If so, that needs to be clearer in the documentation.

When a new SecretStore is created, it prompts for password, the user is allowed to have no password, but we should emit warning.

PS> Get-SecretInfo
Creating a new SecretStore vault. A password is required by the current store configuration.
Enter password:

Enter password again for verification:

WARNING: The SecretStore vault is configured without a password which is less secure.

According to the design docs, the data file is always stored in $env:USERPROFILE\AppData\Local\Microsoft\PowerShell\secretmanagement\localstore\ .

I would like the data file to be synced across multiple devices with something like OneDrive or Google Drive (I'm comfortable with the security/convenience tradeoffs of this when using password encryption).

This would require the data file to be stored in a location different from the default.

update : actually, after having read more about the design of the data file, I'm not sure this would work at all. Feel free to close this issue.

I'm trying to set a new password for SecretStore using parameter arguments rather than interactively.

Based on what's written in the documentation, something like this should work when no password have been previously set:

Set-SecretStorePassword -NewPassword $newPassword

However I'm getting this error and cannot leave the -Password argument blank, no matter my input type:

PS C:\Users\k> Set-SecretStorePassword -NewPassword $MyCredential.Password
Set-SecretStorePassword : Cannot bind parameter 'NewPassword'. Cannot convert the "System.Security.SecureString" value
of type "System.String" to type "System.Security.SecureString".
At line:1 char:38
+ Set-SecretStorePassword -NewPassword System.Security.SecureString
+                                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-SecretStorePassword], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.SecretStore.SetSecretStorePasswordCo
   mmand

PS C:\Users\k> pSet-SecretStorePassword -NewPassword '123'
Set-SecretStorePassword : Cannot bind parameter 'NewPassword'. Cannot convert the "123" value of type "System.Int32"
to type "System.Security.SecureString".
At line:1 char:38
+ Set-SecretStorePassword -NewPassword 123
+                                      ~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-SecretStorePassword], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.SecretStore.SetSecretStorePasswordCo
   mmand

Relevant documentation below:

Set-SecretStorePassword
-NewPassword
[-Password ]

with

-Password
Existing password needed to unlock the store. This can be ignored if the store doesn't currently use a password.

Any idea how to fix this? Thank you!

I received this error on more than one device when trying to access a SecretStore in a script (non-interactively) or by using Unlock-SecretStore interactively. I am not aware where I did a mistake. An internet search led me to this post: https://www.red-gate.com/simple-talk/blogs/oh-no-my-paddings-invalid/. Could this be a bug?
I receive the error not always and on a Win10 Ent or W2k8 R2 Std.

Can anybody help?

Hi,

Awesome module! IT would be great to add the location of the vault file and how to backup and restore the vault.

Kind Regards,
Emre

Steps to reproduce:

1. Register the first store of type Microsoft.PowerShell.SecretStore, name it say MyWallet
2. Create two secrets, e.g., C1 & C2
3. Register another store, also of type Microsoft.PowerShell.SecretStore, e.g., BlackWallet
4. Make a new secret to BlackWallet, say C3
5. You would expect to have a total of 3 secrets: C1, C2 (MyWallet) plus C3 (BlackWallet), but..

PS> Get-SecretInfo

Name Type   VaultName
---- ----   ---------
C1   String MyWallet
C2   String MyWallet
C3   String MyWallet
C1   String BlackWallet
C2   String BlackWallet
C3   String BlackWallet

6. Removing any of the secrets will remove it from both stores/wallets.

For a long time, I didn't know the usefulness of SecretStore.
Can it be used to realize automatic password PSSession to linux?
（use ssh key-file i known）

How to do it?
New-PSSession -HostName 1.1.1.1 -UserName root ? ? ?

Running Set-SecretStoreConfiguration without any changes prompts for confirmation. Are any changes being made in this example? If no changes are made I don't think there is a reason to prompt or even get this far, maybe throwing an error if no parameters were passed.

PS C:\> Set-SecretStoreConfiguration

Confirm
Are you sure you want to perform this action?
Performing the operation "Changes local store configuration" on target "SecretStore module local store".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):

What have I done to myself here?

🔥09-18 16:32:39 20> Set-SecretStoreConfiguration -DoNotPrompt -Force

      Scope PasswordRequired PasswordTimeout DoNotPrompt
      ----- ---------------- --------------- -----------
CurrentUser             True             900        True

C:\Users\Keith>
🔥0x8A150014 09-18 16:33:45 22> Get-Secret -Name SomePassword -AsPlainText
Get-Secret: A valid password is required to access the Microsoft.PowerShell.SecretStore vault.
Get-Secret: The secret SomePassword was not found.

C:\Users\Keith>
09-18 17:27:06 24> Set-SecretStoreConfiguration -PasswordRequired:$false

Confirm
Are you sure you want to perform this action?
Performing the operation "Changes local store configuration" on target "SecretStore module local store".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
Set-SecretStoreConfiguration: A valid password is required to access the Microsoft.PowerShell.SecretStore vault.

C:\Users\Keith>
🔥09-18 17:27:16 25> Get-SecretStoreConfiguration
Get-SecretStoreConfiguration: A valid password is required to access the Microsoft.PowerShell.SecretStore vault.

If we are actually supposed to be able to disable the password requirement, then this syntax is not great -PasswordRequired:$false. Might be better to have -EnablePasswordRequired and DisablePasswordRequired.

I accidentally entered through the creation of a password for the secret store that I hit when running Get-Secret:

> Get-Secret -AsPlainText -Name testsecret
Creating a new SecretStore vault. A password is required by the current store configuration.
Enter password:

Enter password again for verification:

At that point I'd entered an empty password, but the module didn't complain or anything.

Given that no password is a separate configuration, I'd expect to be prevented from doing this.

To support non-interactive scenarios where automation needs to change the secrete store passwords a -Passsword and -NewPassword parameters of type [SecureString] can be added.

I've installed the modules using the steps recommended here :

Install-Module Microsoft.PowerShell.SecretManagement -Force -AllowPrerelease
Install-Module Microsoft.PowerShell.SecretStore -Force -AllowPrerelease

When running the second command, I receive an error message saying : Unable to find dependent module(s) (Microsoft.PowerShell.SecretManagement).

The installation also only works on PowerShell 7 since PowerShell 5.1 does not seem to have support for the -AllowPrerelease command even if the document states so.

Our workaround was to remove the -Force parameter on the second command (Install-Module Microsoft.PowerShell.SecretStore -AllowPrerelease) in order the be able to complete the installation.

Why does this cmdlet have a -Password parameter with the type of [string]? It goes against the AvoidUsingPlainTextForPassword PSScriptAnalyzer rule. I'd rather have users use Read-Host -AsSecureString or ConvertTo-SecureString cmdlets to generate a secure string first to use the the secure store cmdlets.

https://github.com/PowerShell/PSScriptAnalyzer/blob/master/RuleDocumentation/AvoidUsingPlainTextForPassword.md

If I try to set the Authentication to None the follwing command often fails.

Set-SecretStoreConfiguration -Authentication None -Password $tmpPw -Interaction None

The following error occurs:

Set-SecretStoreConfiguration : 
In Zeile:1 Zeichen:1
+ Set-SecretStoreConfiguration -Authentication None -Interaction None
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Power...reConfiguration:SetSecretStoreConfiguration) [Set-SecretStoreConfiguration], PSInvalidOperationException
    + FullyQualifiedErrorId : SecretStoreConfigurationUpdateFailed,Microsoft.PowerShell.SecretStore.SetSecretStoreConfiguration

But after a few attemps (sometimes 2 but often even more) it works.

The documentation and error messages indicate that a metadata key can be a datetime value. But both Set-Secret and Set-SecretInfo fail.

If I make the datetime a string, it works.

Or should we assume that all metadata values are strings?

Set-SecretStoreConfiguration doesn't properly support Confirm:$false. I am removing password from vault configuration and it wont successfully update the Secret Store configuration. The below code results in no error or change configuration.

Set-SecretStoreConfiguration -Authentication None -Confirm:$false

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest released version
• Search the existing issues.

Steps to reproduce

Install-Module -Name Microsoft.PowerShell.SecretStore -Repository PSGallery -Force -Verbose
$password = ConvertTo-SecureString "1234567890" -AsPlainText -Force
Set-SecretStoreConfiguration -Scope CurrentUser -Authentication Password -PasswordTimeout 172800 -Interaction None -Password $password -Confirm:$false

This sets the secret store configuration.
Now I want to reset it.

Reset-SecretStore -Scope CurrentUser -Authentication None -Confirm:$false

This gives me prompt to confirm my action, even if I mentioned -Confirm:$false

Expected behavior

Reset-SecretStore should complete without user prompt when -Confirm:$false is mentioned.

Actual behavior

❯ Reset-SecretStore -Scope CurrentUser -Authentication None -Confirm:$false
WARNING: !!This operation completely removes all SecretStore module secrets and resets configuration settings to new values!!

Reset SecretStore
Are you sure you want to erase all secrets in SecretStore and reset configuration settings to default?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A

Error details

No response

Environment data

PS>$PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.19041.1682
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.1682
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

1.0.0

Visuals

No response

Currently Set-SecretStoreConfiguration outputs a Microsoft.PowerShell.SecretStore.SecureStoreConfig object by default. It may be better to not output unless a -PassThru parameter is passed like other Set-* cmdlets, for example Set-Service. That removes the need for users to pipe to Out-Null or assign it to $null or cast to [void] to suppress the output.

PS C:\> Set-SecretStoreConfiguration -PasswordTimeout 500

Confirm
Are you sure you want to perform this action?
Performing the operation "Changes local store configuration" on target "SecretStore module local store".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
Vault Microsoft.PowerShell.SecretStore requires a password.
Enter password:
****

      Scope PasswordRequired PasswordTimeout DoNotPrompt
      ----- ---------------- --------------- -----------
CurrentUser             True             500       False

PS> Set-Secret -Name TestSecret

cmdlet Set-Secret at command pipeline position 1
Supply values for the following parameters:
SecureStringSecret: **********
Creating a new SecretStore vault. A password is required by the current store configuration.
Enter password: <PRESS CTRL-C>
Enter password again for verification:

It seems like the verification prompt should not be posted. Also, in this case, we should probably state that the secret was not put in the vault.

For example:

Get-Secret -Name foo -Vault OtherVault  | Set-Secret -Vault SecretStore

Should be just a matter of adding the pipeline options to the parameter attribute.

I was confused by the behaviour of Reset-SecretStore. It just succeeded without prompting me for a new password.

Only when I used Get-Secret was a I prompted to create a new password.

I would have expected to need to provide a new password on reset.

Offline systems need modules moved to them manually.

This works --> Save-Module Microsoft.PowerShell.SecretManagement -AllowPrerelease -Path $savefolder

This doesn't --> Save-Module Microsoft.PowerShell.SecretStore -AllowPrerelease -Path $savefolder

OS: Windows 10
PWSH v7.0.3

Save-Module Microsoft.PowerShell.SecretStore -AllowPrerelease -Path C:\Users\user\tmp
WARNING: Unable to find dependent module(s) (Microsoft.PowerShell.SecretManagement)
WARNING: Package 'Microsoft.PowerShell.SecretStore' failed to install.
Save-Package: C:\program files\powershell\7\Modules\PowerShellGet\PSModule.psm1:11792:21
Line |
11792 | $null = PackageManagement\Save-Package @PSBoundParameters
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Unable to save the module 'Microsoft.PowerShell.SecretStore'.

Hi Team,

Great work on this module and the SecretManagement module.

I'm likely missing something obvious, but I wanted to clarify the usage around Unlock-SecretStore and automation scenarios where user interaction isn't available/possible.

From the blog post:

The user can provide the password through an interactive prompt or with the Unlock-SecretStore cmdlet. The Unlock-SecretStore is intended for automation scenarios where user interaction is not possible.

Given the password needs to be provided to Unlock-SecretStore in every fresh session of PowerShell (assuming the PasswordRequired is set to True), what are the suggested methods in being able to provide this password securely in automation scenarios? Would we typically fall back to using commands in the Microsoft.PowerShell.security module to get and securely store the password to be passed to Unlock-SecretStore at execution time? Or depending on where it is being used (maybe in deployment pipelines), a secure variable for the store password?

Cheers, Matt.

Hi !

I'm using SecretManagement and SecretStore to store secrets for an application within our systems. I think it would be very beneficial if there was a way to lock a secretstore rather than waiting for the timeout, for obvious security reasons. Of course, one could set a short timeout, but delays in the script/application could then get in the way of retrieving a secret.

There is no possibility to choose a custom file path right now.

This feature would be really useful for team collaboration and automation environments, as the secret store could be checked into a Git repository together with the scripts that require it. This functionality would be similar to Ansible Vault.

SecretStore files corrupted after Windows 11 upgrade.

Error:
MethodInvocationException: Exception calling "PromptAndUnlockVault" with "2" argument(s): "Store file integrity check failed. The provided
password may be invalid, or store files have become corrupted or have been tampered with."

Can the confirmation prompt default to "N" instead of (default is "Y")? The last thing I would want to have happen is accidentally pressing enter and now all the configuration is reset.

PS C:\> Reset-SecretStore
WARNING: !!This operation will completely remove all SecretStore module secrets and reset configuration settings to default values!!

Confirm
Are you sure you want to perform this action?
Performing the operation "Erase all secrets in the local store and reset the configuration settings to default values" on target "SecretStore module local store".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):

      Scope PasswordRequired PasswordTimeout DoNotPrompt
      ----- ---------------- --------------- -----------
CurrentUser             True             900       False

I would expect the Test-SecretVault function provided by the sample extension vault “Microsoft.PowerShell.SecretStore" to prompt for the store password if not password has yet been provided or the password has expired. Instead it generates errors:

Test-SecretVault
MethodInvocationException: C:\Users\...\Documents\PowerShell\Modules\Microsoft.PowerShell.SecretStore\0.9.0\Microsoft.PowerShell.SecretStore.Extension\Microsoft.PowerShell.SecretStore.Extension.psm1:221:5
Line |
221 |      $success = [Microsoft.PowerShell.SecretStore.LocalSecretStore]::G …
     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "GetInstance" with "0" argument(s): "A valid password is required to access
     | the Microsoft.PowerShell.SecretStore vault."

Test-SecretVault: 
Line |
  18 |              & $module "$ImplementingModuleName\$Command" @Params
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Test-SecretVault failed to write secret on vault SecretStore with error:

I wanted to use Set-SecretStorePassword and tried first with a positional parameter:

> Set-SecretStorePassword banana
Set-SecretStorePassword: A positional parameter cannot be found that accepts argument 'banana'.

So then I looked for the right parameter. Maybe it wants a SecureString?

> Set-SecretStorePassword -<tab>
Verbose              WarningAction        WarningVariable      OutBuffer
Debug                InformationAction    InformationVariable  PipelineVariable
ErrorAction          ErrorVariable        OutVariable

Hmmm, ok maybe it'll prompt me for the right parameter if I just execute it with no arguments?

> Set-SecretStorePassword
Old password
Enter password:

Oh! Hmmm, what is this? Oh it's literally prompting me the old fashioned way!

How do I automate this or get it to interact with other PowerShell stuff?

There does not appear to be a way for a script running as a non-interactive user to create/interact with a local Secret Store. As the password is set interactively on fist usage, a non-interactive user cannot set the password of a newly-created store. And as the stores are per-user, there is no way to create and configure a store manually. Adding a means to specify a password on store registration or through a secondary action would be very useful.