VMware Cloud Community
scroucher123456
Contributor
Contributor
‎02-22-2018 05:13 AM
Jump to solution

VICredentialStoreItem security

I am reviewing the VICredentialStoreItem cmdlets (https://www.vmware.com/support/developer/windowstoolkit/wintk40u1/html/New-VICredentialStoreItem.htm...) and I am curious as to how secure these cmdlets actually are.

The URL says quite clearly:

"The credential store is not designed to be a secure password repository. Although the passwords added to the credential store are obfuscated, they can be recovered by anyone who can access the credential store file"

I am wondering what underlying technology is being used here, because if it's Microsoft DPAPI that is being used - i'd say that offers a reasonable degree of protection from someone obtaining the file and being able to decrypt the password as the encryption\decryption needs to be run from same user context.

Does anyone know, or is it actually the case that the password strings that are generated in the XML are totally trivial to decrypt?

Thanks

Shaun

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎02-22-2018 05:58 AM
Jump to solution

That is correct.

Btw, an alternative is to use an AES key to do the encryption, then your secure string becomes portable.

The drawback is that the AES key, which you need for decryption, needs to be protected.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
4 Replies
LucD
Leadership
Leadership
‎02-22-2018 05:44 AM
Jump to solution

Not totally trivial, you will need to use the account and computer on which the store item was created.
But if that is possible, I would guess that security is already breached on a higher level.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
scroucher123456
Contributor
Contributor
‎02-22-2018 05:51 AM
Jump to solution

Hi LucD,

Thanks for the reply.

That's what my general point was really, I use Microsoft DPAPI a fair bit when using Powershell in general - under the pretence that if your account has been compromised on the device you are logged in to, that's a different scenario to someone being able to harvest the encrypted strings and simply decrypt them on another machine trivially.

In which case, when it states the below it's not quite the full picture because the person who has access to the file also needs to have control of a process that is running under the same account and computer used to create the file content: 

"Although the passwords added to the credential store are obfuscated, they can be recovered by anyone who can access the credential store file"

Thanks

Shaun

0 Kudos
LucD
Leadership
Leadership
‎02-22-2018 05:58 AM
Jump to solution

That is correct.

Btw, an alternative is to use an AES key to do the encryption, then your secure string becomes portable.

The drawback is that the AES key, which you need for decryption, needs to be protected.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
scroucher123456
Contributor
Contributor
‎02-22-2018 07:15 AM
Jump to solution

Thanks Smiley Happy

0 Kudos