Credential Vault

Credential Vault #

SQLSDC provides a simple vault to store credentials (passwords). It operates in one of two modes: Local mode or Repository mode.

The most common use case is creating identical logins across multiple servers with the same password. Examples include monitoring tools that require SQL Server logins or Availability Groups that need identical logins.

In the login resource, you can specify the sqldsc_credential and it will use the password from that credential for the login. Each credential is a named key that maps to the encrypted password.

Local Mode #

This is the default. This mode is indicated sqldsc_vault_provider="local" in the sqldsc.settings.toml file in the root folder or the absence of this setting. If you just create a SQLDSC credential using SQLDSC vault save _credential_name_, this is the mode it will use.

Credentials are stored in %LOCALAPPDATA%\sqldsc\.vault.json. This directory is specific to each user. You can see the credential name and login name in clear text but the password is encrypted. The login name isn’t used in the current release.

The credentials are stored securely using the Windows DPAPI. The DPAPI encrypts with a user key and an optional machine key. That means the file can’t be shared across users.

In this mode, no encrypted credentials are stored in the configuration folder.

Respository Mode #

The repository mode was introduced in 1.43.14. It can be enabled by setting sqldsc_vault_provider="repository" in the sqldsc.settings.toml file in the root folder.

Credentials are stored in config/state/respository.vault.json. This file is inside the repository and is designed to be checked into a private, secure GIT repository.

Configuration #

This mode requires some configuration.

  1. Choose a master password for your repository vault and store it in the password manager for your organization.

  2. Edit (or create) sqldsc.settings.toml in the root folder of the application and add:

    sqldsc_vault_provider="repository"

  3. Each user of SQLDSC will add the master password to their own Windows Credential Manager by running sqldsc vault init. It will prompt for the master password and save it to the local Windows Credential Manager. The key is visible in the Generic Windows Credentials section under the key sqldsc.exe/vault/repository. The password is extracted when we need to encrypt or decrypt passwords.

Security #

Please be aware of the following security considerations in Repository Mode.

  1. You are responsible for choosing a strong master password.
  2. The Repository Mode vault file should only be checked into secure GIT repositories.
  3. SQLDSC uses scrypt and randomly generated salt to hash the master password into a derived key. It then uses 32 bytes of the derived key to encrypt the credential using AES-256. The encryption process uses Galois/Counter Mode (GCM) which is an authenticated encryption method.

Command Line #

The following commands are available

  • sqldsc vault list - list the stored credentials
  • sqldsc vault test credential_name - prompt for a password and test if that is the password stored for credential_name
  • sqldsc vault save credential_name [login] - prompt for a password and write that credential and password into the credential store. It will overwrite the existing credential if it exists. An optional login can be entered. Resource Blocks don’t need the login from the Vault because they already have it. The login is only used when the Credential is used to connect to the server.