SecretManagement icon indicating copy to clipboard operation
SecretManagement copied to clipboard
verified publisher icon PowerShell

Storing a plain text secret

Open jdhitsolutions opened this issue 4 years ago • 4 comments

Not sure if this is a bug or something I'm missing in the documentation. I want to store a plaintext secret. I think I can do that base on the help. So I start with this:

$plain = "FooBar123"
Set-Secret -Name plain -Secret $plain -Vault jhvault

It looks like a string.

PS C:\> get-secretinfo -Name plain                                                                                                                                                                                                                                            Name  Type   VaultName
----  ----   ---------
plain String jhVault

But if I run Get-Secret plain I get a secure string result. Using get-secret plain -AsPlainText gets me the value but I don't think I should have to take this extra step. I have other secrets that were entered as secure strings and those show up that way with Get-SecretInfo. But anything I stored in plaintext appears to be stored as a secure string. Have I missed something?

jdhitsolutions avatar Apr 14 '21 18:04 jdhitsolutions

This is by design. String type secrets are always returned as SecureString objects. On Windows platforms, the SecureString object contains encrypted byte array of the secret string. On non-Windows platforms, where there is no support for user context encryption, the SecureString object contains the string secret as a character array.

But in either case the SecureString object provides an important service of hiding the plain text secret, so that it is not inadvertently displayed in a shell or logged to file. To get the plain text secret string you always have to explicitly use the -AsPlaintext switch.

PaulHigin avatar Apr 21 '21 16:04 PaulHigin

Got it. I'd suggest making this clearer in the documentation.

jdhitsolutions avatar Apr 21 '21 16:04 jdhitsolutions

This is the current help description:

DESCRIPTION
    This cmdlet finds and returns the first secret that matches the provided name. If a vault name is specified, then
    only that vault will be searched. Otherwise, all vaults are searched and the first found result is returned. If a
    'Default' vault is specified, then that vault is searched before any other registered vault. Secrets that are
    string or SecureString types are returned as SecureString objects by default. Unless the '-AsPlainText' parameter
    switch is used, in which case the secret is returned as a String type in plain text.

However, I am not sure how to enhance documentation other than adding the justification for this behavior.

PaulHigin avatar Apr 21 '21 17:04 PaulHigin

I see. That description is in Get-Secret. I was reading help for Set-Secret. Since I was using the -Secret parameter I was going by that help which says the object must be of a supported type. I assumed since I was entering a string that it would be stored as a string. Perhaps some explaining that secrets are never stored as plaintext in Set-Secret would help.

Or perhaps the better question is do you really need -SecureStringSecret and -Secret parameters. Why not simply -Secret that handles everything?

jdhitsolutions avatar Apr 21 '21 17:04 jdhitsolutions