As we develop our DSC strategy, we would like to have different teams (Operations, DBAs) to be able to update configurations but not be able to see any sensitive credentials used in configurations.
At the moment we use MOF certificate encryption with private keys that are are distributed to nodes and we use corresponding public keys to encrypt MOFs on pull server.
We also use WMF 5.1 and it also encrypts MOFs stored on nodes meaning that credentials in MOfs are encrypted using Certificates and MOF files themselves are encrypted locally on nodes using DPAPI.
Configuration files would be updated by other teams using source control.Once the configuration files are checked in, CD/CI would pick them up, build, test and deploy the MOFs to Pull servers.
Now the issue that we face: Operations and other teams members will have local administrator privileges on the nodes they own. Does it mean that they would be able to see decrypted credentials one way or another?
If this is a case, how can we mitigate it? Someone suggested using separate encryption/decryption certificates for different teams but this seems like a complication and does not resolve the issue entirely.