So I have a problem with a bit of a twist.
I maintain about 30 vCenters in my environments. This multitude of systems (I'm not even counting hosts) in addition to various automated tasks that I run means that I quickly fell in love with the New-VICredentialStoreItem command to create XML files of all of my credentials to automate logging into everything but I have a problem with it. Sometimes the XML files won't open. It's not consistent but I know why. My work system is pulled from a pool of VM's and my files are all kept on essentially a roaming profile. The pool is fairly small so I usually get the same system but its not a guarantee. When this happens, all my XML files break since it relies on the same user on the same machine to decrypt the files.What I would like to do is to move to an AES key. My key is in a location that's about as secure as it's going to be but I'm having problems with the new code and I can't seem to wrap my head around it so I need a new set of eyes. I think I'm running in circles. I'm posting the functions as I have them being called by a couple menu programs as well as in my PS Profile.
This is my original function to create a secure credential (and yes I should use Get-Credential but I was young and starry eyed when I first wrote it. The main thing is it worked.)
function CreateCreds
{
$file = Read-Host "Enter the file name"
$FQDN = Read-Host "Enter the IP or FQDN of the vCenter server"
$user = Read-Host "Enter the user as you would in vCenter"
$pass = Read-Host "Enter the password"
# Create VI Credential File
New-VICredentialStoreItem -Host $FQDN -File "C:\credentials\$file.xml" -User $user -Password $pass
Write-host "Secure file created"
}
And this is the two functions I use to generate a new AES key and create a new credential file.
$AESKeyFilePath = "C:\Credentials\aes.key"
$SecureCredsPath = "C:\Credentials\"
function CreateKey
{
# Need to add a warning. Re-generating the key will invalidate all existing files
# Generate a random AES Encryption Key.
$AESKey = New-Object Byte[] 32
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey)
# Store the AESKey into a file.
Set-Content $AESKeyFilePath $AESKey
Write-host "Key file created"
}
function CreateCreds
{
$AESKey = Get-Content -Path $AESKeyFilePath # Get contents of AES Key file
$file = Read-Host "Enter the file name"
$FQDN = Read-Host "Enter the IP or FQDN of the vCenter server"
# Prompt you to enter the username and password
$credObject = Get-Credential
$passwordSecureString = $credObject.password
# Need file check. Flag if file exists and overwrite if told
New-VICredentialStoreItem -Host $FQDN -File $SecureCredsPath$file.xml -User $credObject.UserName -Password $passwordSecureString
Write-host "Secure file created"
}
Now on to using the new files....
function Connect-vCenter
{
Param (
[Parameter(Mandatory = $True)]
$file
)
if ($file)
{
$AESKeyFilePath = "c:\credentials\aes.key"
$AESKey = Get-Content -Path $AESKeyFilePath # Get contents of AES Key file
$creds = Get-VICredentialStoreItem -File "c:\credentials\$file.xml"
$vCenter = $creds.host
$userUPN = $creds.user
$securePass = $creds.Password | ConvertTo-SecureString -Key $AESKey
$adminCreds = New-Object System.Management.Automation.PSCredential($userUPN, $securePass)
Connect-VIServer -Server $vCenter -Credential $adminCreds
}
else
{
Write-Host "Error."
}
}
This just bombs out every time. The code might look familiar as I've scrapped everything I had and tried to follow posts on this board but something is wrong and I can't tell what. Does anyone have any ideas? I'd be very appreciative and you would make my life easier.
--T
Peace