DSC secure string?

This topic contains 4 replies, has 2 voices, and was last updated by  Dan Potter 1 week, 4 days ago.

  • Author
    Posts
  • #80749

    Dan Potter
    Participant

    Is there any way to secure the arguments string inside the package resource?

    Spent the day configuring the cert setup for using PsDscRunAsCredential and then.. oh yeah, the credentials are also in the Arguments string 🙁

  • #81151

    Don Jones
    Keymaster

    I'm not certain I follow... "also in the Arguments string?" "Inside the package resource?"

  • #81158

    Dan Potter
    Participant

    Unfortunately I have something like this. I can encrypt the PsDscRunAsCredential but I also have to use this string in the arguments.

    
    $commandargs = @" 
    /s /v" /qn SILENT_MODE=1 /Li SDInstall.log INSTALLDIR=\"c:\Program Files\NetApp\SnapDrive\" SVCUSERNAME=$SMSQLUSER SVCUSERPASSWORD=$SMSQLPASS"
    "@ 
    
    $credentials = New-Object System.Management.Automation.PSCredential($SMSQLUSER,$SMSQLPASS)
    
    WindowsFeature Netframework
    {
    Ensure = "Present"
    Name = "NET-Framework-Core"
    }
    
    Package SnapInstall 
    { 
        Ensure = "Present" 
        Path = "c:\windows\temp\SnapDrive7.1.4P1_x64.exe" 
        Name = "SnapDrive" 
        ProductId = "{0BD0F422-C9DF-4438-ABCE-74805CC8C2F5}" 
        Arguments = $commandargs
        PsDscRunAsCredential = $credentials
        DependsOn = '[WindowsFeature]Netframework'
    } 
    
    
  • #81161

    Don Jones
    Keymaster

    Oh. So you're generally asking, "how can I protect sensitive information in an argument" regardless of whether it's a credential per se.

    That was more or less asked at https://stackoverflow.com/questions/44585764/passing-securestring-variables-to-dsc-configuration-for-read-only-domain-control also.

    Also at https://github.com/PowerShell/xPSDesiredStateConfiguration/issues/266, which gives us a clue: you can't. The intent would be to have that data live in some kind of key vault, and you'd retrieve it dynamically somehow.

  • #81365

    Dan Potter
    Participant

    Thanks. I hope encrypting the entire mof is planned for the future.

You must be logged in to reply to this topic.