Configure PowerShell Secret Management Module

Sep. 18, 2020

This post is a quick set up guide for the PowerShell Secret Management module. I’ll do my best to keep these steps up to date but the module is still under development so the steps required to get set up could change at any time.

What is the Secret Mangement Module?

In short it locally and securely stores secrets like user credentials and API tokens. This solves some common pain points of existing methods like having to manually input secrets every session (secure, not very convenient) or storing secrets in a text file (convenient, not very secure). It also aims to simplify the integration of existing secret stores like Azure KeyVault or KeePass. See the references at the bottom of the page for more information.

Install the Module and Credential Store Vault

The Secret Management Module uses vault extensions that are also PowerShell Modules. I’ll be using the SecretStore vault since it’s cross-platform, though as of now I’ve only used it in Windows 10 running Powershell v7.0.3.

Install SecretManagement and SecretStore:

Install-Module -Name Microsoft.PowerShell.SecretManagement -Repository PSGallery -AllowPrerelease
Install-Module -Name Microsoft.PowerShell.SecretStore -Repository PSGallery -AllowPrerelease

Confirm the installations:

Import-module Microsoft.PowerShell.SecretManagement, Microsoft.PowerShell.SecretStore
Get-Module Microsoft.PowerShell.SecretManagement, Microsoft.PowerShell.SecretStore | Select-Object Name,Version

Below are the latest versions at the time of this writing:

Name                                  Version
----                                  -------
Microsoft.PowerShell.SecretManagement 0.5.2
Microsoft.PowerShell.SecretStore      0.5.1

Register the Vault and Create Secret

After installing the SecretStore vault you’ll need to register it in SecretManagement:

Register-SecretVault -Name LocalStore -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault

Now you can create your first secret! But, there are a couple of things to take note of first. By default Set-Secret stores the secret as a secure string, which happens to be what I need in this case. Other supported secret types are byte[], String, PSCredential and Hashtable.

Another default behavior of SecretStore is that you need to enter a password to access your secrets. So, when you create your first secret you’ll be prompted to create a password if you haven’t already. There is also a 900 second time out set by default, meaning that after 15 minutes you will need to enter your password again to access your secrets. You can view the default SecretStore configuration with Get-SecretStoreConfiguration and update it with Set-SecretStoreConfiguration.

I’ll be storing my Cloudflare API key:

Set-Secret -Name CloudflareApiKey -Secret 'ApiKeyGoesHere'

Test the Secret

Finally I’ll test the secret with the below snippet:

$Params = @{
    Method         = 'Get'
    Uri            = ''
    Authentication = 'Bearer'
    Token          = Get-Secret -Name CloudflareApiKey

    $Output = Invoke-RestMethod @Params
    return $Output.messages.message

If everything goes well you should receive the message, This API Token is valid and active!

Feel free to reach out with any questions/comments and check out the below references as well as the built in PowerShell help for more information.


SecretManagement Preview 3 (Sep 2020)
SecretManagement Design Changes (Sep 2020)
SecretManagement GitHub Repo
SecretStore GitHub Repo