Go Commando when Scripting. Checking out the new Powershell Secrets Module.


Everyone loves a good secret and anything to make it easier to store that secret and keep it from prying eyes is worth looking at. With that in mind, I was immediately interested when I read about the release of the new PowerShell Secrets Management Module.

Note that the current module uses the built-in Credentials Manager, which apparently can be exploited. Nonetheless, I have found it useful and easy to use and there is the promise to use extensions, including Azure and other “vaults” in the future.

So, how do you get this to work?

First install the module from https://www.powershellgallery.com/packages/Microsoft.PowerShell.SecretsManagement/0.2.0-alpha1

Install-Module -Name Microsoft.PowerShell.SecretsManagement -AllowPrerelease

If you find it’s not installing or loading correctly, be sure to update the local PowerShellGet  module. I found that I also needed to install the latest .Net version. After that, things worked as expected.

Now add the password/secret to the Credentials Manager on the local machine via the new module. Remember you are adding this in the context of the current user, so only the logged in user will have access to it.

Add-Secret -Name Test -Secret Secret

In the example above the secret is….well, Secret and the name is Test. Clever, right?


You can view it a number of ways:

Get-Secret -Name Test

Get-Secret -Name Test -AsPlainText


Name ModuleName ImplementingType
—- ———- —————-

From the Credentials Manager on that machine, you can see it as well:

Let’s assume you have a script that needs a name and password to authenticate to the local domain. You could pass that new secret easily in this really basic example. (Again, running in the context of the user account on the local machine where you created the secret)

$User = “domain\User1”

$Pwd = (Get-Secret Test)

$UserCredential = New-Object System.Management.Automation.PSCredential ($User, $Pwd)

Get-ADUser -Identity <user> -Credential $UserCredential

Pretty nifty, right? All I had to do was grab the password on the fly from the vault using Get-Secret.

Anyway, that’s it. Not much to get it to work, but lots of potential. I am looking forward to using this module as it matures.


Published by adavid6

Grumpy Old Exchange MVP. My old site was lost: https://web.archive.org/web/20180307110652/http://no-one-uses-email-anymore.com/ I have been an Exchange MVP since 2002. I also had the honor of naming “You had me at EHLO” for the Exchange Product Group Blog way back in the early 2000s. I attempt to answer forum questions on TechNet: https://social.technet.microsoft.com/profile/andy%20david/ and can be found on Twitter: https://twitter.com/adavid6 Reddit: https://www.reddit.com/user/adavid1608 Microsoft Tech Community: https://techcommunity.microsoft.com/t5/user/viewprofilepage/user-id/86

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: