Press "Enter" to skip to content

Securing vCenter & REST API Credentials In PowerShell

Joshua Stenhouse 0

I was recently demonstrating a script to automate Exchange consistency verification for a prospect and right before the demo I thought to myself, “I bet they say we don’t want plain text passwords in the script”. I always give example scripts with plain text passwords to make the first run super easy, relying on the user to then pick how they want to secure it going forward. I quickly wrote 2 examples and had them ready to go, but this got me thinking. How many people just keep passwords in plain text and isn’t it about time I shared an easy to use example? Read on to see how.

AuthenticationExample.png

The simplest method of storing credentials securely for subsequent re-use is to store them as a secure string in a file. The secure string can only be read on the host from which it was generated (usually a good thing!). To create your secure string run the below on the host which will be running the PowerShell script:

GET-CREDENTIAL –Credential (Get-Credential) | EXPORT-CLIXML "C:\SecureString\SecureCredentials.xml"

In your script you simply need to import the credential file using the command below and you are off to the races:

$Credentials = IMPORT-CLIXML "C:\SecureString\SecureCredentials.xml"

However, this import method relies on being able to utilize the credentials in the form of a PSCredentialObject. If you are connecting to a vCenter this works great with:

$vCenterServer = "192.168.1.10"
Get-Module –ListAvailable VM* | Import-Module
connect-viserver -Server $vCenterServer -Credential $Credentials

But, if you want to authenticate with a REST API (like Rubrik, Zerto or Prism) then the PSCredentialObject won’t work. Instead, you need to import the credentials using:

$Credentials = IMPORT-CLIXML "C:\SecureString\SecureCredentials.xml"
$User = $Credentials.UserName
$Password = $Credentials.GetNetworkCredential().Password

And that’s it! You can now easily store your credentials securely without passwords in plaintext. If you want to go deeper on the subject and look at use cases such as sharing passwords between multiple hosts then I recommend reading this useful blog post:

https://www.pdq.com/blog/secure-password-with-powershell-encrypting-credentials-part-2/

Another alternative I’ve used in the past was a combination of key based AES encryption and encrypting the PowerShell script itself as an executable. This enabled me to securely store a hardcoded SA password in a script that could run on any host, but never expose the key, script code or the password to the user. I did this using a program called ExeScript which unfortunately looks to not be available anymore, as the vendor website has totally gone, but if this is something that would save your day get in touch and I’ll see what I can do! Happy scripting,

Joshua

Leave a Reply

%d bloggers like this: