Home > Blogs > VMware PowerCLI Blog


Have you seen PowerCLI’s “Credential Store” feature?

It just occurred to me that a very useful feature of PowerCLI never got the introduction it deserves. The feature is the Credential Store and as the name suggests its job is to store credentials. As a result:

  1. Credentials are kept securely (no need to hard code passwords along with scripts)
  2. You type less (no need to specify user and password to Connect-VIServer)

So, how does it work in practice?

Say I connect to my VC like this:

Connect-VIServer 192.168.10.10 –User Andrey –Password “my favorite password”

To use the credential store, I do the following:

New-VICredentialStoreItem -Host 192.168.10.10 -User "Andrey" -Password "my favorite password"

Now I can type just:

Connect-VIServer 192.168.10.10

When I don’t specify user and/or password, Connect-VIServer checks the credential store, finds my newly stored credential and uses it.

By default the credential store file is stored under the user profile directory. It is encrypted. If I got you interested, check “help *VICredentialStoreItem” for details.

 

Andrey Anastasov,

PowerCLI Architect

7 thoughts on “Have you seen PowerCLI’s “Credential Store” feature?

  1. Andrey Anastasov

    The credential store is encrypted with .Net’s ProtectedData.Protect() function which delegates to Windows’ CryptProtectData(). It is considered a secure way to protect data and – to my knowledge – is the method employed by the built-in Windows file encryption (EFS).
    To decrypt the data, an attacker must have enough information as to log in as the user who encrypted the data. In other words, even if someone steals the harddisk, the data is secure as long as the user password is unavailable to the attacker. An administrator cannot read the data by forcing password reset.

    Reply
  2. Pingback: Changing Virtual Machine settings with PowerCLI | Phy2Vir | An IT Blog from a support guy

  3. Pingback: SRM Testing…What do I do with my Domain Controllers? Part 1 | Favoritevmguy

  4. Pingback: Store VMware PowerCLI login credentials | bLOG.

  5. Thomas

    Andrey, thanks for this hint. One question though: When I type New-VICredentialStoreItem -Host 192.168.10.10 -User “Andrey” -Password “my favorite password” this command is stored in the PowerCli command history, meaning that anybody could stumble upon my typed out password.
    clear-history does not delete any of the vsphere powercli-commands, nor does closing the whole thing and rebooting do.

    Is there a way to remove my typed out password from powerclis command history?

    Regards,
    Thomas

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*