Replace plain-text secrets with DPAPI-encrypted vault#137
Open
innovara wants to merge 4 commits into
Open
Conversation
Introduces a DPAPI-backed vault system to replace plain-text secret storage. This ensures that sensitive environment variables are only accessible to the NT AUTHORITY\SYSTEM account. Key features: - Administrative requirement: must be run with elevated privileges to manage the scheduled tasks and system directories. - Dual-mode execution: supports interactive standalone creation or orchestrated secret export via dot-sourcing. - Secure encryption: utilizes DPAPI via SecureString and Clixml to lock credentials to the SYSTEM account's identity. - Interactive creation: provides a standalone CLI flow to collect passwords securely without echoing them to the console. - Automatic backups: detects existing vault files and creates timestamped backups before generating new ones. Signed-off-by: Manuel Fombuena <mfombuena@innovara.tech>
Updates the installation process to prioritize the new VaultManager system while maintaining backward compatibility for legacy plain-text secrets. Key features: - Secure credential integration: implements a workflow to create a DPAPI-encrypted vault if no credentials are found in the environment. - Identity-consistent initialization: performs repository initialization via a temporary SYSTEM task to ensure credentials and permissions are correctly configured for the background service account. - Legacy support: honors existing secrets.ps1 configurations for users who have manually opted for plain-text secret storage. - Robust state detection: introduces a repository check (cat config) to verify access to existing repositories during installation. - Enhanced logging: captures restic initialization output to dedicated log files to assist with troubleshooting permission or network issues. - Fast-fail logic: adds explicit checks for required configuration files to prevent incomplete installations. Signed-off-by: Manuel Fombuena <mfombuena@innovara.tech>
Relocates the repository URL and SMTP settings from the secrets sample to the config sample. This ensures these parameters remain available for users who use the new vault system instead of a secrets.ps1 file. Signed-off-by: Manuel Fombuena <mfombuena@innovara.tech>
Updates the main backup script to load credentials from the secure vault. If a vault is present, it uses the VaultManager to export secrets to the environment; otherwise, it falls back to the legacy secrets.ps1 file. Key features: - Secure secret loading: prioritizes the DPAPI-encrypted vault for retrieving the restic password and other sensitive keys. - Email credential mapping: specifically handles the extraction of the email password from the vault to maintain notification functionality. - Conditional fallback: maintains support for the legacy plain-text secrets file if no vault is detected. Signed-off-by: Manuel Fombuena <mfombuena@innovara.tech>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary: replaces the
secrets.ps1file with a Windows Data Protection API (DPAPI) vault to prevent storing repository credentials in plain text.Changes:
SYSTEMaccount.install.ps1to aSYSTEMtask to verify the account can unlock the vault and reach the repository before setup completes.backup.ps1to pull secrets from the vault, with a fallback for existingsecrets.ps1files.config_sample.ps1.This PR supersedes #113