The PowerShell Secrets Management Module became one of my must-haves on every computer i use with PowerShell. I already wrote a couple of posts about it.
Recently i tested a Macbooc Air M1 and wanted to use the secrets i had on my main Windows machine. The approac was to simply generate a CSV-file from the secrets and import it on the Mac. As a reminder, lets summarize what Secrets Managemt Architecture is about.
- Secrets are stored in Vaults
- Secrets may occur in the form of 3 types – String, SecretString or PSCredentials
- Secrets may also have Metadata stored
Export Secrets from the source machine (backup)
In the first step we export all 3 types of secrets from the source machine. If you just want to make a backup you are done here. I assume your vaultname is „myVault“, please change as required.
Export Credentials
Get-Secretinfo -Vault myVault|Where Type -eq PSCredential|Select-Object Name,@{Name='Username';Expression={(Get-Secret -Name $_.Name).Username}},@{Name='Password';Expression={(Get-Secret -Name $_.Name).Password|ConvertFrom-Securestring -AsPlainText}}|Export-Csv C:\temp\Credentials.csv
First we get all secrets with Get-SecretInfo, then we filter only PSCredentials with Where-Object and finally we use Get-Secret and ConvertFrom-SecureString do dig out the password. The result is a CSV as shown below:
Export SecretStrings
Strings and secret strings are more or less the same thing, they are just less work as only one item.
# Strings
Get-SecretInfo -Vault myVault|Where-Object Type -eq String |Select-Object Name,@{Name='String';Expression={Get-Secret -Name $_.Name|ConvertFrom-SecureString -asplaintext}} |Export-Csv d:\Strings.csv
# SecureStrings
Get-SecretInfo -Vault myVault|Where Type -eq SecureString |Select-Object Name,@{Name='SecureString';Expression={Get-Secret -Name $_.Name|ConvertFrom-SecureString -asplaintext}} |Export-Csv d:\SecureStrings.csv
So far so good, all our secrets are exported, BUT the metadata is missing. So far i havent diged into this, if you have solutions for metadata export, let me know.
Import secrets into target machine (restore)
With the CSV file screated it is now easy to transfer the CSV files via USB stick or something similar (DO NOT USE UNENCRYPTED E-MAIL !!) to your target machine.
On the target machine, the Secrets Management and Secrets Store Modules need to be setup, read the blogposts i mentioned at the beginning if you need help. I assume we have a vault there called „myVault2“.
Import Credentials
Import-Csv ./Credentials.csv | Foreach-Object {[securestring]$secStringPassword = (ConvertTo-SecureString $_.Password -AsPlainText -Force);[string]$username=$_.UserName; [pscredential]$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword);Set-Secret -Name $_.Name -Secret $credobject -vault myVault2}
In the first step we read the CSV file with Import-CSV. Then we need to transform the data into the correct types (Strings, SecrtStrings, Cedentials) to pass it over to Set-Secret. This happens in a Foreach-Object loop. In the loop we first transform the password into a securestring and store it in $secStringPassword. Then we store the username in $UserName. And then we create a PSCredentialObject named $CredObject. Finally we creste the secret with Set-Secret, and done !
Import Strings and SecureStrings
The process is a little easier here as we dont need to create complicated Crededential objects.
SecureStrings
Import-Csv ./SecureStrings.csv | foreach-object {[securestring]$secStringPassword = (ConvertTo-SecureString $_.SecureString -AsPlainText -Force);Set-Secret -Name $_.Name -Secret $secStringPassword -vault myVault2}
Strings
Import-Csv ./Strings.csv | Foreach-Object {Set-Secret -Name $_.Name -Secret $_.String -vault myVault2}
Mission completed. Do delete the CSV files afterwards for security reasons!
Cheers/Roman
Photo by Tobias Fischer on Unsplash
