Powershell: Add Cmdlets for storing Credentials in OS credential store

Created on 28 Aug 2016  路  5Comments  路  Source: PowerShell/PowerShell

The Get-Credential works well for interactive sessions, but to execute scripts non-interactively, credentials often need to get stored in a secure place, which is a challenge for most PowerShell users. As at least Windows and Mac OS X (Keychain) offer secure credential stores, it would be great if Cmdlets could be added to PowerShell to securely store credentials in the OS credential store. PowerShell Credentials Manager, an implementation for Windows PowerShell can be found in the Technet Gallery.

This would increase usability of PowerShell for non-interactive scripting and enhance security for the average user.

Area-Cmdlets Issue-Enhancement Resolution-Answered Up-for-Grabs
Source
picture ffeldhaus
👍5

Most helpful comment

BetterCredentials looks interesting, but it also relies on the Advapi32.dll for storing credentials which is Windows specific. Secure Credential Management is essential and enabline PowerShell to use the Credential stores Microsoft and Apple recommends would be a great way to increase security for PowerShell scripts (especially non-interactive ones).

picture ffeldhaus on 2 Sep 2016
👍2

All 5 comments

I think @Jaykul implements what you are asking for in his BetterCredentials module. That module adds some extra functionality to Get-Credential.

Get-Credential UserName -Store

If you haven't stored the password for "UserName", you'll be prompted with the regular PowerShell credential prompt, otherwise it will read the stored password.
In either case, it will store (update) the credentials in the Vault

Perhaps that type of behavior should be added to the native Get-Credential cmdlet.

devblackops picture devblackops on 2 Sep 2016
🎉1

BetterCredentials looks interesting, but it also relies on the Advapi32.dll for storing credentials which is Windows specific. Secure Credential Management is essential and enabline PowerShell to use the Credential stores Microsoft and Apple recommends would be a great way to increase security for PowerShell scripts (especially non-interactive ones).

ffeldhaus picture ffeldhaus on 2 Sep 2016
👍2

Although I'd theoretically like to make mine cross-platform, I don't have a MacBookPro anymore, so I won't be implementing that myself...

Since even the credential prompt OS-specific -- they might as well implement cross-platform native storage in the core.

For better or worse, I've actually been considering going the opposite direction, and making the storage pluggable, so that it can use something that's not user+machine specific, maybe KeePass or Thycotic SecretServer etc.

Jaykul picture Jaykul on 19 Sep 2016

macOS Keychain can be accessed through a CLI command, which could be easily wrapped in BetterCredentials. But shelling out in core commands is kind of weird.

felixfbecker picture felixfbecker on 21 Sep 2018

RFC https://github.com/PowerShell/PowerShell-RFC/pull/208
Please discuss there.

iSazonov picture iSazonov on 29 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pcgeek86 picture pcgeek86  路  3Comments
garegin16 picture garegin16  路  3Comments
rudolfvesely picture rudolfvesely  路  3Comments
manofspirit picture manofspirit  路  3Comments
HumanEquivalentUnit picture HumanEquivalentUnit  路  3Comments