The FileVault module is a collection file tool cmdlets that integrate with Hashicorp's Vault server and the KeyBase Vault server. Three of the cmdlets are just renamed cmdlets from the FileCrytpograhy.psm1 module (https://gallery.technet.microsoft.com/scriptcenter/EncryptDecrypt-files-use-65e7ae5d).
Hashicorp's Vault server can be downloaded from: https://www.vaultproject.io/downloads.html.
For Vault server setup see: https://cadayton.onrender.com/modules/FileVault/Vault-Setup.html
KeyBase can be downloaded from https://keybase.io/. Keybase implements secure messaging, chat, filesystem, git and a kvstore. I refer to the kvstore feature as KeyBase Vault because is provides similar functionality to Hashicorp's Vault server.
The FileVault module depends on the Zyborg.Vault module for integration with Hashicorp's Vault server.
Install-Module Zyborg.Vault
| cmdlet | Description |
|---|---|
| Get-Files | Returns list files based on path and search criteria |
| Show-Files | Same as Get-Files but displays results on console |
| Add-File | Creates an empty file. |
| Set-FileTime | Change the Creation + Modification + Last Access Date/time |
| New-CryptoKey | Generates a random cryptography key |
| ConvertTo-Encrypted | Encrypts a file using a symmetrical algorithm |
| ConvertFrom-Encrypted | Decrypts a file encrypted with ConvertTo-Encrypted |
| Add-EncryptedFile | Encrypts a file and stores the key in the Vault Server |
| Show-EncryptedFile | Obtains key from Vault server and displays the file using the default application |
| Add-KeyValue | Updates or Adds a key/value to the specified path in the Vault server |
| Remove-KeyValue | Removes a key/value associated with a path in the Vault server |
| Get-KeyValue | Returns the value of a specified key in the Vault server |
| Show-KeyValue | Displays on the console the value associated with a key in the Vault server |
| Get-Paths | Returns a list of paths associated with the root path in the Vault server |
| Show-Paths | Same as Get-Paths but the paths are displayed on the console |
| cmdlet | Description |
|---|---|
| Set-KBentryValue | Creates a entryValue for a given entryKey in the KeyBase Vault. |
| Get-KBentryValue | Returns the PSCredential object for a given entryKey in a KeyBase Vault. |
| Show-KBentryValue | Copies the KeyBase Vault entryValue for a given entryKey to the clipboard. |
| Show-KBentryKeys | Displays entryKeys in a namespace for a KeyBase team or account. |
| Show-KBnameSpaces | Displays namespaces for a KeyBase team or account. |
| Remove-KBentryKey | Removes the specified entryKey in a KeyBase Vault. |
Use Get-Help to get more detailed cmdlet help and examples.
The code and documentation for FileVault can be downloaded here: https://cadayton.onrender.com/modules/FileVault/
This module is not publish in PSGallery. Simply copy FileVault.psm1 to any folder and execute the following in the console or PowerShell script.
Import-Module C:\bin\ps\FileVault.psm1
If desired create your own private PSGallery and publish this module to it.
The following environment variables need to be set either system wide or in the PowerShell console session.
| Variable | Description |
|---|---|
| vault_addr | The URL address of the Hashicorp Vault server. Example: https://computer.mydomain.org:8200 |
| vault_path | The root path set for the account accessing the Hashicorp Vault server |
| vault_authmethod | The method used to authenticate with the Hashicorp Vault server. Example: userpass or okta |
| vault_token | This variable is automatically set after the account authenticates with the Hashicorp Vault server |
$env:vault_addr="https://computer.mydomain.org:8200" $env:vault_path="mypath" $env:vault_authmethod="userpass"
The vault_token variable is set by the authentication process in the FileVault module.
The following environment variables be set either system wide or in the PowerShell console session.
| Variable | Description |
|---|---|
| KEYBASE_BIN | Full executable path of the KeyBase binary. ex. C:\bin\keybase\keybase.exe |
| KEYBASE_TM | Optional default teamName to be used. |
| KEYBASE_NS | Optional default namespace to be used. |
$env:KEYBASE_BIN="C:\Users\<username>\AppData\Local\Keybase\KeyBase.exe" $env:KEYBASE_TM="myteam" $env:KEYBASE_NS="teamscrets"
If authentication has not been established with the Vault server each command example will be proceeding with prompt to enter credentials for authentication. This will result in a token being returned.
The returned token is only valid for a limited time which depends on the policy associated with the credentials. When the token expires, another prompt for credentials will be presented.
Get-VaultToken
This is the cmdlet called by other cmdlets to retrieve a Vault token for accessing the Vault server.
If authentication is successful, the environmental variable vault_token with be set to the returned vault token value.
Show-Paths
Will display on the console a list of valid paths available for the vault token.
Show-KeyValue -Path myapp -key BigSecret
Assuming the environmental variable vault_path was set to mypath, the full path value of
mypath/myapp will be used to display the value associated with the key BigSecret.
Add-KeyValue -Path newapp -Key password -Value some_long_complicated_string_value
Assuming the environmental variable vault_path was set to mypath, a sub-path of *newapp will be created with a the specified key/value pair.
Remove-KeyValue -Path newapp -Key password
Assuming the environmental variable vault_path was set to mypath, the key password of sub-path of newapp will be removed. If there are no other keys associated with sub-path newapp, then the sub-path will be removed too.
Add-EncryptedFile -filename SensitiveFile.txt
The file SensitiveFile.txt is compressed and encrypted into a resulting file named SensitiveFile.txt.zip.AES.
Assuming the environmental variable vault_path was set to mypath, the key needed to decrypt the file is stored in the sub-path of mypath/SensitiveFile.txt.zip.AES with a key value of SensitiveFile.txt.zip.AES and the decryption key is the value.
Both the file, SensitiveFile.txt and it's temporary zip file are removed.
Show-EncryptedFile -filename SensitiveFile.txt
The file SensitiveFile.txt.zip.AES is decrypted and uncompressed using the key/value pair from the Vault Server. The file is then opened with the default application associated with '.txt' file on the computer.
Both the file, SensitiveFile.txt and it's temporary zip file are removed.
To view the other cmdlets available in the FileVault module:
Get-Command -module FileVault
Get help and examples for any of the cmdlets:
Get-Help <cmdlet> -full | more