View Only
  • 1.  Secure Credentials with AES Keys

    Posted Mar 04, 2021 08:49 PM

    So I have a problem with a bit of a twist.

    I maintain about 30 vCenters in my environments. This multitude of systems (I'm not even counting hosts) in addition to various automated tasks that I run means that I quickly fell in love with the New-VICredentialStoreItem command to create XML files of all of my credentials to automate logging into everything but I have a problem with it. Sometimes the XML files won't open. It's not consistent but I know why. My work system is pulled from a pool of VM's and my files are all kept on essentially a roaming profile. The pool is fairly small so I usually get the same system but its not a guarantee. When this happens, all my XML files break since it relies on the same user on the same machine to decrypt the files.What I would like to do is to move to an AES key. My key is in a location that's about as secure as it's going to be but I'm having problems with the new code and I can't seem to wrap my head around it so I need a new set of eyes. I think I'm running in circles. I'm posting the functions as I have them being called by a couple menu programs as well as in my PS Profile.

    This is my original function to create a secure credential (and yes I should use Get-Credential but I was young and starry eyed when I first wrote it. The main thing is it worked.)



     And this is the two functions I use to generate a new AES key and create a new credential file.



    Now on to using the new files....




    This just bombs out every time. The code might look familiar as I've scrapped everything I had and tried to follow posts on this board but something is wrong and I can't tell what. Does anyone have any ideas? I'd be very appreciative and you would make my life easier.






  • 2.  RE: Secure Credentials with AES Keys

    Posted Mar 05, 2021 12:13 PM

    I'm not sure I understand where the AES key is actually used.
    Shouldn't the key be used in the CreateCreds function?

  • 3.  RE: Secure Credentials with AES Keys

    Posted Mar 05, 2021 01:43 PM

    You're right. I don't seem to be calling the AES key correctly when decrypting it. I've been working on this for a couple months as I have time so I have multiple copies all over (I need to be better about version control and projects). And staring at it means I don't see those little pieces get missed. I'm going to use this as my start code and work it out from there. If I get it working (or continue to have issues) I'll post the code back up for everyone.

    Thanks again for the quick once over.

  • 4.  RE: Secure Credentials with AES Keys

    Posted Mar 08, 2021 03:03 PM

    Well I think I figured it out so to give back, here's what I found. I think the issue is the New-VICredentialStoreItem and the XML file it creates. Once I dropped that and moved to creating my own files, I got it working. I don't know what the issue is whether it's in encrypting or decrypting the secure password but it wasn't working. I went with INI files because I can easily query an INI file with another function I have in my profile. I'll probably re-write it as some point to use XML files again and I'll probably remove the hard links for the files as well. Below is a complete set of files. CreateSecureCreds will generate an AES key file and will create credential files for any vCenter or Host you need to connect to. It's menu driven too for your convenience. At the end I've included the Get-INI function that I did not write but at some point got scrubbed and I lost the author's name. I think it's fairly popular and easy to find. Lastly, I included the ConnectTo-VIServer function.

    The script can always be improved but hopefully this helps out someone else.