Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Registering an additional store just creates another reference to the first store #76

Open
nahir31 opened this issue Jul 10, 2021 · 5 comments
Open

Registering an additional store just creates another reference to the first store #76

nahir31 opened this issue Jul 10, 2021 · 5 comments
Labels
enhancement New feature or request

Comments

@nahir31
Copy link

nahir31 commented Jul 10, 2021

Steps to reproduce:

  1. Register the first store of type Microsoft.PowerShell.SecretStore, name it say MyWallet
  2. Create two secrets, e.g., C1 & C2
  3. Register another store, also of type Microsoft.PowerShell.SecretStore, e.g., BlackWallet
  4. Make a new secret to BlackWallet, say C3
  5. You would expect to have a total of 3 secrets: C1, C2 (MyWallet) plus C3 (BlackWallet), but..
PS> Get-SecretInfo

Name Type   VaultName
---- ----   ---------
C1   String MyWallet
C2   String MyWallet
C3   String MyWallet
C1   String BlackWallet
C2   String BlackWallet
C3   String BlackWallet
  1. Removing any of the secrets will remove it from both stores/wallets.
@PaulHigin PaulHigin transferred this issue from PowerShell/SecretManagement Jul 12, 2021
@PaulHigin
Copy link
Contributor

This is currently by design for the SecretStore extension vault. It is limited to a single vault for a single user account (-Scope CurrentUser). We plan to enhance it to include a machine wide scope (-Scope AllUsers) at some point, but there would still be just one vault instance for the entire machine.

We can consider supporting multiple vault instances (per user or per machine) in the future. I assume the reason for this would be to store specific types of secrets in different vault instances? Each vault instance would have its own password (if password configuration is selected).

@PaulHigin PaulHigin added the enhancement New feature or request label Jul 12, 2021
@nahir31
Copy link
Author

nahir31 commented Jul 12, 2021

Alright but in the meantime you should have blocked the possibility to register more than a single vault of the same type.

The current situation might easily lead to a data loss: The user sees what appears to be two different vaults (since they are shown with different names) then he/she might remove secrets from one of these vaults, without realizing that by this they are actually removing the data forever from both.

@PaulHigin
Copy link
Contributor

That is a good point. We currently allow multiple registrations in case an extension vault provides for it. But I can see how this leads to confusion. I think we can solve this problem by having extension vaults indicate whether they support multiple registration, and if not then emit an error.

@PaulHigin
Copy link
Contributor

PaulHigin commented Jul 12, 2021
edited
Loading

I'll create an issue in Microsoft.PowerShell.SecretManagement for this.

PowerShell/SecretManagement#167 (comment)

@PaulHigin PaulHigin mentioned this issue Jul 12, 2021
Open
@davidhaymond davidhaymond mentioned this issue Jul 26, 2021
Open
@robinmalik
Copy link

I also hit this issue (I was discussing with colleagues how we might utilise the SecretStore module for automation and configuring a vault per internal technical service). We'll use a single vault for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@robinmalik @nahir31 @PaulHigin