Stupid Questions with Vanda : Register-SecretVault & General Gallery Question

Posted this question on Discord too, so hopefully that’s ok, i think the two have somewhat different audiences.

Over the last few years, I’ve had co-workers teaching me bits and pieces of PowerShell, and I’ve done some stuff in it, mostly very simple. Usually I make a renewed effort after Summit, get a few chapters in, and end up on other things, then the next year I forget everything and start back over at the beginning or close to. I’ve made it to Chapter 9 this year, yay!!

I’m doing the lab, and I’ve gotten the secretmanagement module installed, but have a few questions.

I was trying to decide where to store my secret, and noticed that most of the password stores i’m familiar with are actually more modules by community members in the gallery. Everytime I heard anyone talk about the gallery, they say it’s generally trustworthy, but you should always review anything you get from there. But with my PowerShell knowledge so spotty, I’m not sure I’m capable of that. I’m not even sure exactly what I’m asking? Is the Gallery really almost always trustworthy? How do I go about trying to review things I pull down without breaking my brain? Is there a way to judge based on a creator you’re not familiar with?

So, since I was spinning my wheels there, I decided I’d just try and use something that came with the module. So I started looking at helps and examples and found the Register-SecretVault command. The example for that command is in the attached screenshot. It lists a ‘CredMan’ and a ‘LocalStore’.

image761×167 3.78 KB

I know what the CredMan is so I thought I’d start there, but I noticed that also needed a module: Microsoft.PowerShell.CredManStore, but when I tried to find/install that module I got an error. Is this a thing that doesn’t exist anymore? Or something for Windows PowerShell? I saw there were other CredMan modules, but that led me back to my first question of know what to pick/who to trust?

So that leaves me with LocalStore, which I just want to make sure i understand. Is this just like a little private vault that PS makes up on the spot?

Thanks for any help.

Hey there welcome! I think a lot of people have their own opinions on the gallery.

IMO there’s a reason that by default, the PS gallery is not trusted’. I personally come from a mindset of ‘trust almost nothing’, so unless the publisher is like MS, I’m almost always do a little digging before installing a module. However, the gallery is how MS deploys their modules (like Exchange Online and Graph), so, it is an important part of a lot of people’s work flows. Just bear in mind that anyone can submit to the PS gallery, and if I recall correctly there are certain safeguards in place (they do scans), but I’m guessing most of that is automated. What you can do is actually go to the module in the gallery and review the code PowerShell Gallery | Home. Most sites will have a ‘project’ site that will link to the github. the code is also there to view in the website . However, that can be a chicken or egg scenario, if you are newer to powershell, you may not have enough working knowledge to know. Also some people have more complex code that may use C# so it adds a layer of complexity there. Also there are criticisms of the gallery (think i recall reading about one last year). I could go on about this but you get the jist

Regarding CredMan - CredMan I believe in this context is Windows Credential manager. I haven’t used that module, but it seems like its configured using ‘extensions’ which perhaps are nothing more than PS modules themselves. Overview of the SecretManagement and SecretStore modules - PowerShell | Microsoft Learn talks about the ‘Credman’ vault extension, but the link actually points to Justin Grote’s module and its named differently. So yeah I’m not sure there. It might just be an outdated screenshot maybe, though I did find evidence of the same thing in their docs.

previously linked doc has some good info in it. TLDR; think the localstore is just stored locally in a file and encrypts it with your user information.

Sorry, I thought I responded! Thanks for the article about the CredMan.

I ended up doing the exercise with the localstore, but i’m still trying to understand this more because I can see how it would be super useful.

About the localstore, does anyone know where that’s created? I looked in my directory with my script, and in the path directory for Powershell, but didn’t see it in either.

what OS are you running PS on? The SecretStore info and LocalStore data are kept in your user’s appdata.
Quoting Microsoft here:

Vault configuration and data are stored in separate files. The file location depends on the platform operating system.

For Windows platforms the location is: $env:LOCALAPPDATA\Microsoft\PowerShell\secretmanagement\localstore\
For Non-Windows platforms the location is: $HOME/.secretmanagement/localstore/

You can also check out the source code for the SecretStore module here:
SecretStore Github
But it’s mostly in C# so it reads a bit different than Powershell.

It seems like the local store option is using AES to encrypt your vault which is just a flat file that lives in your user’s local data folder.
The part I didn’t like about this when I was trying to read it in the past is that they use an extremely out of data set of parameter options for their implementation of PBKDF2. Basically the default options from when that standard was ratified like 24 years ago. I wrote a blog post about this so I’ll link it here instead of re-hashing it.
https://courtneybodett.com/SecretsManagement/

Thanks for the further info! I’ll check out that article.