Decrypted credentials visibility

Welcome Forums DSC (Desired State Configuration) Decrypted credentials visibility

This topic contains 1 reply, has 2 voices, and was last updated by

1 year, 9 months ago.

  • Author
  • #71594

    Points: 1
    Rank: Member


    As we develop our DSC strategy, we would like to have different teams (Operations, DBAs) to be able to update configurations but not be able to see any sensitive credentials used in configurations.
    At the moment we use MOF certificate encryption with private keys that are are distributed to nodes and we use corresponding public keys to encrypt MOFs on pull server.
    We also use WMF 5.1 and it also encrypts MOFs stored on nodes meaning that credentials in MOfs are encrypted using Certificates and MOF files themselves are encrypted locally on nodes using DPAPI.
    Configuration files would be updated by other teams using source control.Once the configuration files are checked in, CD/CI would pick them up, build, test and deploy the MOFs to Pull servers.
    Now the issue that we face: Operations and other teams members will have local administrator privileges on the nodes they own. Does it mean that they would be able to see decrypted credentials one way or another?
    If this is a case, how can we mitigate it? Someone suggested using separate encryption/decryption certificates for different teams but this seems like a complication and does not resolve the issue entirely.

  • #71737

    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    It depends on how the certificates are built. The decrypting node needs a private key; if someone has access to that node, and its certificate store, then yes, they could manually decrypt a MOF with some amount of labor and knowledge. With administrator credentials, I imagine they could do a lot worse damage with a lot less effort. But there's really not much of an alternative, short of creating custom resources that somehow grab secrets from a credential store on-the-fly.

The topic ‘Decrypted credentials visibility’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort