Add support for securely storing credentials via 'ProtectedData' Module

[vScripter]

Add in support/use ProtectedData module to better secure and handle stored credentials used for execution/reporting.

The ProtectedData module was created and is actively maintained by Dave Wyatt

[alanrenouf]

Or maybe we should just say people have to use New-VICredentialStoreItem to store creds for this script?

[vScripter]

That is also an option. Does it support persistence across user logins on the same system?

I was thinking more along the lines of supporting an encrypted, hard coded password, that would require a separate key/cert to decrypt it, upon execution, which avoids using the .NET Data Protection API, which isn't versatile if you have the report running on several servers in a large and/or geographically disbursed environment.

PowerShell v5 natively supports almost all of the features of the ProtectedData module.

Either way, I was mainly thinking of a more efficient and secure way to maintain credentials; it very well may be the case that New-VICredentialStoreItem is a better way to go (not to mention it's native PowerCLI)

[monahancj]

We use the credentials feature of Task Scheduler that's been part of Task Scheduler since it came out (I think). I guess I'm not seeing the use case. Doing it any other way else seems unnecessarily complicated.

On Wed, Apr 29, 2015 at 11:09 PM, Kevin Kirkpatrick < [email protected]> wrote:

That is also an option. Does it support persistence across user logins on the same system?

I was thinking more along the lines of supporting an encrypted, hard coded password, that would require a separate key/cert to decrypt it, upon execution, which avoids using the .NET Data Protection API, which isn't versatile if you have the report running on several servers in a large and/or geographically disbursed environment.

PowerShell v5 natively supports almost all of the features of the ProtectedData module.

Either way, I was mainly thinking of a more efficient and secure way to maintain credentials; it very well may be the case that New-VICredentialStoreItem is a better way to go (not to mention it's native PowerCLI)

— Reply to this email directly or view it on GitHub https://github.com/alanrenouf/vCheck-vSphere/issues/378#issuecomment-97647228 .

[Sneddo]

This would not change the existing functionality, but extend it to give more flexibility.

I guess the simplest use case to highlight the need for this would be if you had an account that only had read-only rights to vCenter (e.g. your "every day" account that you use on your workstation), and wanted to use a privileged account to read event logs from vCenter.

[rnelson0]

I submitted #485 as a method to do this. I wasn't aware of New-VICredentialStoreItem, or of the Task Scheduler credentials feature. Whatever the solution is, it should be integrated in the "Adjusting connection Information" section at http://www.virtu-al.net/vcheck-pluginsheaders/vcheck/

[lucdekens]

This request is again actual since the introduction of PSv6, where the VICredentialStoreItem solution will not work on non-Windows based platforms. Not sure if this is a valid feature request or a lack of documentation. To be further explored.