Secret store vs. secure string
Wright, John M
Is anyone using secret store? I was thinking of moving a script to that from the current secure string.
In particular, I’ve found that it’s impossible to automate using secret store unless I set the authentication to none. As I understand it, this will still be an improvement because the credential will be encrypted and tied to user context. As it stands, the password is stored as a secure string in a text file (in hex format).
Any opinions?
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
Michael B. Smith
Sorry, I have to put on my consultant’s hat.
It depends.
A secure string is tied to the machine. It’s only semi-portable.
A secure string is ONLY SECURE ON WINDOWS. It’s not secure on any other platform.
However, it was around for 12-15 years before the secrets management module, so lots of code depends on it, and it is easy to use.
I use the PowerShell secrets management module. Is that what you mean by secret store?
If so, I automate this all the time. What issue are you having?
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/ntsysadmin/SN7PR12MB6714A461AE15BF1A2FDE112191D5A%40SN7PR12MB6714.namprd12.prod.outlook.com.
Wright, John M
Yes, it’s the secrets management module. I’m not exactly having any issues. But I wondered what opinion others had about the relative security of these practices.
In this case, the vault stores a secure string called by script to form a credential for connecting to ESXI hosts and backing up the configs.
I’m really just trying to adhere to best practice, short of securing the vault with a password, which isn’t practical for a scheduled task.
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Michael B. Smith
Sent: Friday, November 21, 2025 2:28 PM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] RE: Secret store vs. secure string
|
EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity. |
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/c07021a50e7d483e952f22c6e1d34270%40smithcons.com.
Michael B. Smith
I’d use the newer secrets management module. 😊
Michael B. Smith
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/ed610e92c53d42a9b6d23f39603407fe%40smithcons.com.