Need better example of how to store plugin values with secretmanagement about posh-acme HOT 5 CLOSED

Hi @kennethtipton, thanks for reaching out. Have you already seen the Using SecretManagement guide on the doc site?
https://poshac.me/docs/v4/Guides/Using-SecretManagement/

from posh-acme.

I read through that one and watched several video. The part I am not understanding is what is stored in the vault is it the old heuser and password or something else and how does it know which secret to retrieve. Sorry I an having such a hard time with understanding it. I can store other information in the vaults.

from posh-acme.

No worries. Happy to explain further.

Ignoring SecretManagement for a moment, what normally happens when your plugin variables are saved to disk is that the module encrypts the secure values using a key provided by the OS. However, that OS provided key can't be used by anyone except the current user on the current machine. It's a very secure configuration, but it can also be inconvenient if you need to reference the same config files from another user or machine.

For those who need a more portable configuration, Set-PAAccount has a switch called -UseAltPluginEncryption which tells the module to start using a specific (randomly generated) key instead of the OS provided key. The new key value is stored with the config files so if you move them or access them from a different user/machine, the encrypted plugin data can still be decrypted. So you're sacrificing a bit of security for a more portable config and trusting that the filesystem permissions on your config are sufficient to keep unwanted parties from accessing your sensitive plugin variables.

The SecretManagement support builds on this UseAltPluginEncryption functionality by moving the encryption key into the vault instead of leaving it on disk with the rest of your config. The key is stored by default as a secret called poshacme-{0}-sskey where {0} is a random GUID associated with the account in the local config file. If you have more than one Posh-ACME account defined and you enable UseAltPluginEncryption on all of them, you'll have one secret stored per account. There's also nothing stopping you from storing other non-Posh-ACME related secrets in the same vault as long as they don't conflict with the Posh-ACME secrets' naming conventions.

By using the SecretManagement support you're ultimately trading filesystem security for whatever security is provided by the specific Vault plugin you've configured. For instance, using the Microsoft provided SecretStore plugin would be pointless because it stores secrets on disk in the current user profile using the exact same non-portable key provided by the OS that the default Posh-ACME configuration uses. But using something like Az.KeyVault means your secrets are protected by Azure's native KeyVault service access is dependent on however you've configured that.

from posh-acme.

I can see how you are storing the info. Pretty neat. But when I generate a certificate it promts me for the hurricane electric username and password. When I use Get-PAPlugin I get:

PS C:\POSHACME> Get-paPlugin -plugin HurricaneElectric -params
    Set Name: Secure (Default)
Parameter    Type         IsMandatory
---------    ----         -----------
HECredential PSCredential True

    Set Name: DeprecatedInsecure

Parameter  Type   IsMandatory
---------  ----   -----------
HEUsername String True
HEPassword String True

from posh-acme.

That Get-PAPlugin command is only telling you what parameter sets are supported for the HurricaneElectric plugin. In this case, you can either supply a PSCredential object called HECredential or two different strings containing the username/password called HEUsername and HEPassword. If you want to query the actual parameters that are saved for a given order, you'd need to use Get-PAPluginArgs.

What command(s) did you use to create the certificate initially?

from posh-acme.