Author Posts

September 27, 2017 at 8:34 pm

Is there any way to secure the arguments string inside the package resource?

Spent the day configuring the cert setup for using PsDscRunAsCredential and then.. oh yeah, the credentials are also in the Arguments string 🙁

October 3, 2017 at 2:34 pm

I'm not certain I follow... "also in the Arguments string?" "Inside the package resource?"

October 3, 2017 at 2:48 pm

Unfortunately I have something like this. I can encrypt the PsDscRunAsCredential but I also have to use this string in the arguments.


$commandargs = @" 
/s /v" /qn SILENT_MODE=1 /Li SDInstall.log INSTALLDIR=\"c:\Program Files\NetApp\SnapDrive\" SVCUSERNAME=$SMSQLUSER SVCUSERPASSWORD=$SMSQLPASS"
"@ 

$credentials = New-Object System.Management.Automation.PSCredential($SMSQLUSER,$SMSQLPASS)

WindowsFeature Netframework
{
Ensure = "Present"
Name = "NET-Framework-Core"
}

Package SnapInstall 
{ 
    Ensure = "Present" 
    Path = "c:\windows\temp\SnapDrive7.1.4P1_x64.exe" 
    Name = "SnapDrive" 
    ProductId = "{0BD0F422-C9DF-4438-ABCE-74805CC8C2F5}" 
    Arguments = $commandargs
    PsDscRunAsCredential = $credentials
    DependsOn = '[WindowsFeature]Netframework'
} 

October 3, 2017 at 2:54 pm

Oh. So you're generally asking, "how can I protect sensitive information in an argument" regardless of whether it's a credential per se.

That was more or less asked at https://stackoverflow.com/questions/44585764/passing-securestring-variables-to-dsc-configuration-for-read-only-domain-control also.

Also at https://github.com/PowerShell/xPSDesiredStateConfiguration/issues/266, which gives us a clue: you can't. The intent would be to have that data live in some kind of key vault, and you'd retrieve it dynamically somehow.

October 5, 2017 at 2:38 pm

Thanks. I hope encrypting the entire mof is planned for the future.