Encrypted Credentials in Push mode on Windows 7

jay-spang · June 9, 2014, 6:27am

I’m trying to use DSC to maintain configuration on a handful of shared servers. My plan is to put my DSC scripts into Source Control so anyone on my team can edit the configuration and ‘push’ it from their own workstation. All the workstations as well as the servers themselves (the nodes) are running Windows 7.

Everything works great now, but my problem is that it puts my domain password in plain-text in the MOF file. I don’t anticipate ever checking those files into source control, but my teammates aren’t happy about code that puts their passwords into a plain-text file.

I looked into a few options. This page gives instructions, but it uses the ‘Export-Certificate’ function, which doesn’t seem to be available on Win7. It also seems like I could set DSC to run locally on the node (in Pull mode), but I don’t have anywhere to set up a Pull server.

So, are there any simple methods to encrypt my credentials so they’re not stored in clear text? Here’s my code right now, which works great (aside from the aforementioned storing of passwords in clear text in the MOF).


$ConfigurationData = @{
    AllNodes = @(
        @{
            NodeName = "*" # Settings that apply to all nodes
            PSDscAllowPlainTextPassword=$true
         }			 
    )
}

Configuration ManagedServers
{
    param (
        [Parameter(Mandatory = $true)] [PSCredential] $Credential
    )
	
    Node $AllNodes
    {
        Group Administrators
        {
            GroupName = "Administrators"
            Ensure = "Present"
            Members = "DOMAIN\User"
            Credential = $Credential
        }
    }
}

ManagedServers -ConfigurationData $ConfigurationData -Credential (Get-Credential)

donj · June 9, 2014, 6:30am

I thought we’d covered this in The DSC Book, was it not? You need to include the certificate thumbprint that the node will use to decrypt the credentials - meaning the certificate itself must be pre-deployed. It works the same as if the config is coming from a pull server. And don’t forget that a pull server can also just be a file server; you don’t need to go the web server route, if that helps.

jay-spang · June 9, 2014, 6:43am

Which method do you advise? Setting up a Pull server from a UNC share (I hope I don’t need admin access to the file server since I hope to use our company’s shared network-store) or pre-deploying some certificates?

I have not read the DSC Book, but I’ll check it out when I get home tonight (my company blocks onedrive.live.com, I’m afraid).

donj · June 9, 2014, 6:45am

Well, two different things.

Thing 1, you said you can’t have a Pull Server; a Pull Server can just be a file server if that makes the decision to use Pull a little easier.

Thing 2, you have to pre-deploy certs if you’re going to encrypt credentials. They don’t come from the pull server per se. Not magically, at least, like resource modules can.

But I think the DSC book shows the syntax where the cert thumbprint goes, if not an explicit example.

Topic		Replies	Views
Decrypted credentials visibility DSC	2	182	May 16, 2024
Creating a resource to check if service is running DSC	4	218	May 16, 2024
pre-encrypt credentials DSC	3	212	May 16, 2024
Composite resource credentials encryption DSC	4	341	May 16, 2024
Partial configurations and credentials? DSC	9	202	May 16, 2024

Encrypted Credentials in Push mode on Windows 7

Related Topics