Personal vault helps to store the secrets locally and manage it in easy and
Personal vault helps to store the secrets in a key value pair and make it
easy to manage. It uses
's inbuild security mechanism to encrypt and decrypt the secret texts. The
secrets are encrypted using an auto-generate 32 bits key and stored in the
provides the cmdlet to add, get, update and remove the secrets easily. You
can use your own key which should be of 32 bits or generate it using the
You can secure all your secrets with individual key and store it in the
vault. This way you can store your secrets more securely. Rotate your keys
easily and all retrieve it using the
parameter in the cmdlet
Additionally, you can tab complete the available keys from the vault for
easy retrieval of the keys.
gives a warning if the secret value that you're trying to store is already
exposed (or hacked) in the internet. This gives us an opportunity to review
the secret value and change it immediately.
Your secret values are protected with a username and password and you should
use it every time when you try to access your vault from a new console
# You should register first to work with the vault
# You should remember your recovery word to recover your registered username and password
PS C:\> $recoveryWord = Read-Host -AsSecureString
PS C:\> Register-PSPersonalVault -Credential (Get-Credential) -RecoveryWord $recoveryWord
# connect to the vault with the credential
PS C:\> $connection = Connect-PSPersonalVault -Credential (Get-Credential)
PS C:\> Add-PSSecret -Name "GMail_username" -Value "Thisisanonhackablepassword@2021" -Metadata "My personal gmail account."
Add a secret value to the vault.
PS C:\> Add-PSSecret -Name Test -Value 'Test@123' -Metadata "Adding a test value"
WARNING: Secret 'Test@123' was hacked 833 time(s); Consider changing the secret value.
Get a warning if the secret you are trying to add is exposed.
PS C:\> Get-PSSecret
Get the secret value from the vault
PS C:\> Get-PSKey
Get the key used to encrypt the secet value
PS C:\> Get-PSKey -Force
PS C:\> Add-PSSecret -Name "GMail_Username" -Value "Thisisanonhackablepassword@2021" -Metadata "My official gmail account."
Rotate the key and add a new secret
PS C:\> Get-PSArchivedKey
Get the archived keys. Use it to retrieve the secrets that was encrypted
using these keys.
PS C:\> Update-PSSecret -Name Test -Value "AnyStrongPassword@2021"
Update a secret value. Use tab completion to find the key to update it's
PS C:\> Remove-PSSecret -Name Test -Force
Remove a secret with the key
PS C:\ Remove-PSPersonalVault -Force
Force remove the vault. This is a destructive operation and it removes all
the stored secrets.
It is best to save the secrets with individual keys for more security. Since
the PowerShell encryption uses Windows DPAPI, the user who stored the keys
and secrets can only view it in plain text. The secret values that you are
entering as plain text in the session will not stick to in the history.
will automatically remove the module related cmdlets from the history.
Re-open the console to make sure that all the secrets are removed from the
Try the cmdlets.