docs(EncryptCredential): add keyfile ACL guidance and scheduled task/service usage#77
Open
docs(EncryptCredential): add keyfile ACL guidance and scheduled task/service usage#77
Conversation
…all modules Adding publish workflows for all modules
Bringing all copyrights to 2025, removing trailing spaces
Adding a hint about the github repository documentation for #psnotify
Fixing publishing workflows only trigger when pull from dev to main
Fixing ConvertStrings version number
Bringing TestCredential to 0.0.5 and add pester tests and a documentation
Fixing documentation
Added check of vcredist, powershellget and packagemanagement version …
Publish ImportDependency 0.3.2 with Caching of global nuget packages and loading local packages
Adding tests to SqlPipeline and fixed an missing exception
Fixed ImportDependency with missing vcredist and changed sqlpipeline
Update sqlpipeline.tests.yml with verbose output on installation
Creating first workflow pipeline for sqlpipeline
Changes for ImportDependency 0.3.4 and extended documentation
Fixing linux compatibility for WriteLog and push to 0.9.15
Pushing ImportDependency to 0.3.5 with adding some linux information
Small fixes and Linux improvements for ImportDependency, SqlPipeline and WriteLog
Enhancements to get Import-Dependency and WriteLog working better together
Fixing SqlPipeline and push to 0.1.5
New releases for SqlPipeline and and MeasureRows for better Linux support
Updating SqlPipeline and EncryptCredential
Adding tests and linux compatibility for ConvertUnixTimestamp into 0.1.0
Adding more Info for ConvertUnixTimestamp on the main readme
Updating ImportDependency to 0.3.8 and Install-Dependencies to 0.1.11
Small fix for ImportDependency to detect vcredist
Changes for WriteLog 0.9.18 and ImportDependency 0.3.10
Fixes and updates for ImportDependency and InvokeWebRequestUTF8
Fixed a bug in ImportDependency where a native OS dependent dll was c…
Switching a Command for ImportDependency to avoid PowerShellGet problems
Fixed a missing return value for ImportDependency
Pushing WriteLog to 0.10.0 with new functionality (multiple logfiles and flexible output format)
Bringing PSNotify and ImportDependency to newer versions
More changes for PSNotify and bump to 0.1.0
Bringing ImportModule to 0.4.0 with better performance
Some cosmeting changes and improvements to ExtendFunction 0.10.0 and additions to main readme.md
Fixed a typo in Import-Dependency after tests with Ubuntu
Bringing ImportDependency to 0.4.2 with another approach on how to lo…
Fixed .net core issues for ImportDependency and bumped to 0.4.3
Bumping ImportDependency to 0.4.4
Bumping ImportDependency to 0.4.5 for better runtime support independ…
Bumping ImportDependency to 0.4.6 for better linux support
Bumping ImportDependency to 0.4.7
Bumping ImportDependency to 0.4.8
Bumping WriteLog to 0.10.1
Bumping PSNotify to 0.1.1 after bugfixing with Claude AI
Bringing EncryptCredential to 0.3.0
Updated PowerShell module installation to use CurrentUser scope.
Changed module installation to use CurrentUser scope.
Adding DuckDB support to SqlPipeline Fixing ImportDependency for linux
Bringing SqlPipeline to 0.3.2 and fixing a function name clash with...
…service usage - Fix factual error: encrypted strings are AES-based (not DPAPI) and ARE portable across machines/users when the same keyfile is available - Fix function name typo: Get-PlaintextToSecure -> Convert-PlaintextToSecure - Add 'Keyfile Security' section documenting auto-applied permissions and PowerShell/bash snippets for manually verifying or tightening ACLs - Add 'Using with Scheduled Tasks or Windows Services' section with four options: same-user, dedicated service account, shared keyfile with ACL (Windows), and Linux systemd service with restricted file ownership https://claude.ai/code/session_01EMrR6kMzxdtT58UWQchGkw
…r via HMAC-SHA256 Adds Private/Get-BoundKey.ps1 which derives the actual AES key as: HMAC-SHA256(key=keyfileBytes, data=machineId|userId) Machine and user identity are read from the OS at runtime: - Windows: MachineGuid (registry) + current user SID - Linux: /etc/machine-id + username + numeric UID (id -u) There is no caller-supplied parameter to override these values; the only way to decrypt is to physically be running as the same user on the same machine that performed the encryption. Both Convert-PlaintextToSecure and Convert-SecureToPlaintext now call Get-BoundKey after Read-Keyfile instead of using raw keyfile bytes. BREAKING CHANGE: all previously encrypted strings must be re-encrypted. Bumps version to 0.4.0. Updates README with a 'Machine and User Binding' section, corrects the scheduled-task options to reflect that encryption and decryption must be performed by the same OS account, and updates the shared-keyfile option accordingly. https://claude.ai/code/session_01EMrR6kMzxdtT58UWQchGkw
Two paths covered: - Path A: decrypt all stored strings while v0.3.0 is still installed, upgrade, then re-encrypt with v0.4.0 - Path B: already upgraded without migrating; decrypt using raw PowerShell (ConvertTo-SecureString -Key with raw keyfile bytes, bypassing the new HMAC binding) then re-encrypt with the new module Also includes a Read-KeyfileRaw helper that handles both the new binary format and the legacy line-per-byte text format. https://claude.ai/code/session_01EMrR6kMzxdtT58UWQchGkw
Windows (New-KeyfileRaw): keyfile is now written as a DPAPI-protected blob (ProtectedData.Protect, CurrentUser scope) instead of raw bytes. The raw AES key never touches disk. DPAPI is backed by Windows credential infrastructure (LSASS / TPM); knowing the user SID or machine GUID alone cannot bypass it. Windows (Get-BoundKey): calls ProtectedData.Unprotect() to recover the AES key. Throws a clear error for legacy raw-bytes keyfiles pointing to the migration guide. Read-Keyfile: returns DPAPI blobs (> 32 bytes on Windows) as-is for Get-BoundKey to handle, preserving the legacy text-format fallback on Linux. Linux/macOS: HMAC-SHA256 binding unchanged. README: rewrites the Machine and User Binding section to explain the platform split, documents the DPAPI user-profile requirement for scheduled tasks (LogonType=Password, not S4U), adds domain password-reset / gMSA warning, and updates the migration guide to reflect the new keyfile format. https://claude.ai/code/session_01EMrR6kMzxdtT58UWQchGkw
…smoke-test Adds Option 5 to the scheduled tasks section covering both in-process (Runspace.CreateRunspace) and out-of-process (PowerShellProcessInstance) C# hosting. Explains that the same LoadUserProfile requirement applies in both cases, since the child process inherits the parent's Windows token and profile state. Includes a C# out-of-process code example and a DPAPI smoke-test snippet (ProtectedData round-trip) that can be added to startup/health-check logic to verify DPAPI is available before the module is called at runtime. https://claude.ai/code/session_01EMrR6kMzxdtT58UWQchGkw
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
portable across machines/users when the same keyfile is available
PowerShell/bash snippets for manually verifying or tightening ACLs
options: same-user, dedicated service account, shared keyfile with ACL
(Windows), and Linux systemd service with restricted file ownership
https://claude.ai/code/session_01EMrR6kMzxdtT58UWQchGkw