Credential Vault

Credential Vault #

SQLSDC provides a simple vault to store credentials.

Overview #

The following commands are available

  • vault list - list the stored credentials
  • vault test sqldsc_credential - prompt for a password and test if that is the password stored for sqldsc_credential
  • vault save sqldsc_credential [login] - prompt for a password and write that credential and password into the credential store. It will overwrite existing credentials. An optional login can be entered. Resource Blocks don’t need the login from the Vault Credential because they already have it. The login from the Credential is used when logging into SQL Servers.

The most common use case is creating identical logins across multiple servers with the same password. Examples include monitoring tools that require SQL Server logins or Availability Groups that need identical logins.

In the login resource, you can specify the sqldsc_credential and it will use the password from that credential for the login.

Security #

The credentials are stored securely using the Windows DPAPI.

These are stored in a JSON file in %LOCALAPPDATA%\sqldsc\.vault.json. This directory is specific to each user. You can see the credential name and login name in clear text but the password is encrypted. The login name isn’t used in the current release.

The DPAPI encrypts with a user key and an optional machine key. That means the file can’t be shared across users.