ProtectedData

1.1.1

en-US/about_ProtectedData.help.txt

                                TOPIC

    about_ProtectedData

SHORT DESCRIPTION

    Provides background information about the ProtectedData module.

  About ProtectedData

      When you need to store secret data, such as a set of credentials, in a

      PowerShell script, you would typically use the Export-Clixml or

      ConvertFrom-SecureString cmdlets to accomplish this.  These commands

      leverage the Windows Data Protection API (DPAPI) to perform the encryption.

      The DPAPI is extremely convenient, but it has a limitation:  the data can

      only be decrypted by the user who originally encrypted it, and in many cases,

      this decryption can only happen on the same computer where the encryption

      took place (unless you have Credential Roaming or Roaming Profiles enabled

      in an Active Directory environment.)

      The ProtectedData module exists to overcome this limitation, while still

      allowing the convenience of not having to worry about managing or protecting

      encryption keys.  It does this, primarily, by leveraging RSA certificates.

  How It Works

      When you send a piece of data to the Protect-Data command, it is encrypted

      using a randomly-generated AES key and initialization vector (IV).  Copies

      of this key and IV are then encrypted using either the public keys of RSA

      certificates, or using a password-derived AES key (more on that later.)

      The resulting object can be persisted to disk with Export-Clixml, and can

      later be read back in with Import-Clixml and then passed to the

      Unprotect-Data command.  When you call Unprotect-Data, you must pass in either

      one of the passwords that was to protect the data, or the thumbprint of one

      of the certificates that was used to protect the data.  If you use a certificate

      when calling Unprotect-Data, you must have the certificate's private key.

  Regarding Password-derived Keys

      This module's intended use is to leverage RSA encryption wherever possible.

      This is what provides security, without the need for the user to worry about

      key protection or key management; the operating system takes care of this for

      you when you install a certificate (with or without its private key.)

      The various -Password parameters to the ProtectedData module's commands are

      intended as a backup mechanism.  If you are unable to decrypt the data with

      a certificate for some reason, you'd be able to enter the correct password

      to retrieve it or to add a new RSA-encrypted copy of the keys.

      If you do use the Password functionality of the module, you're encouraged to

      always enter these passwords interactively.  If you try to persist the passwords

      in some way, you're back to the original problem:  you can either use DPAPI

      and accept its limitations, or you have to manage and protect encryption keys

      yourself.

      All passwords are passed to the ProtectedData commands in the form of

      SecureString objects.

  Supported Data Types

      All data must be serialized to a byte array before it can be encrypted.  The

      ProtectedData module supports automatic serialization / deserialization of

      PSCredential, SecureString, and String objects.  If you want to encrypt another

      data type instead, you're responsible for converting it to a byte array yourself

      first, and passing the resulting byte array to Protect-Data's -InputObject

      parameter.

      The ProtectedData object which is returned from the Protect-Data command includes

      a Type property.  When you pass the object to Unprotect-Data, it uses this information

      to build and return an object of the original type for you (PSCredential, SecureString,

      String or Byte[] .)

  Regarding In-Memory Security

      The commands in the ProtectedData module make an effort to minimize the amount

      of time that any sensitive, unencrypted data is left in memory as well, but

      this is a tricky topic in a .NET application.  The Garbage Collector can

      sometimes create copies of unencrypted byte arrays before the module has had

      a chance to pin them.  This in-memory security is provided on a "best effort"

      basis.

  Certificate requirements

      The RSA certificates used with this module must allow Key Encipherment in their

      Key Usage extension, if present.  They must also be issued by a trusted certificate

      authority and be currently valid, unless you pass the -SkipCertificateVerification

      switch parameter when calling the various commands in the module.  This switch

      allows you to leverage self-signed certificates, etc, if you don't care about

      validating a trust chain and just want to get at the RSA key pair.

      Unfortunately, the current version of the .NET Framework doesn't handle Crypto

      Next Generation (CNG) certificates very well, even if they happen to be RSA

      certs.  You won't be able to access the private key of a certificate which

      uses a CNG key storage provider.  (These will typically be based on "Version 3"

      certificate templates which have selected "Microsoft Software Key Storage Provider".)

      You can verify which of your certificates are usable for both encryption and

      decryption ahead of time by running the following command:

      Get-KeyEncryptionCertificate -RequirePrivateKey -SkipCertificateVerification

      (With this set of parameters, the command searches the entire Cert: drive, including

      both CurrentUser and LocalMachine stores, and as mentioned earlier, the 

      -SkipCertificateVerification switch ignores certificate validity periods, trust

      chains and revocation status.)

SEE ALSO

    Protect-Data

    Unprotect-Data

    Add-ProtectedDataCredential

    Remove-ProtectedDataCredential

    Get-ProtectedDataSupportedTypes

    Get-KeyEncryptionCertificate