SecretBackup.psm1
|
<# .SYNOPSIS Exports secrets from a specified vault to a JSON file. .DESCRIPTION This function exports secrets from a specified vault to a JSON file. It retrieves secret information from the vault and converts it to a JSON format for export. .PARAMETER VaultName Specifies the name of the vault from which to export secrets. This parameter is mandatory. .PARAMETER OutPath Specifies the output path where the JSON file will be saved. If not provided, the current location will be used as the default output path. .EXAMPLE Export-Secret -VaultName 'MyVault' -OutPath 'C:\Backups' Exports secrets from the 'MyVault' vault and saves the JSON file to the 'C:\Backups' directory. .EXAMPLE Export-Secret -VaultName 'MyVault' Exports secrets from the 'MyVault' vault and saves the JSON file to the current location. .NOTES Exports secretes in plain text. Make sure you protect the exported data. #> function Export-Secret { [CmdletBinding()] param ( [Parameter(Mandatory)] [string] $VaultName, [string] $OutPath = (Get-Location).Path ) Test-VaultAccess -VaultName $VaultName $Data = New-Object -TypeName System.Collections.ArrayList $AllSecrets = Get-SecretInfo -Vault $VaultName foreach ($Secret in $AllSecrets) { if ($Secret.Type -eq 'String' -or $Secret.Type -eq 'SecureString') { $Obj = [PSCustomObject]@{ Name = $Secret.Name Type = [string]$Secret.Type Secret = Get-Secret -Vault $VaultName -Name $Secret.Name -AsPlainText } } elseif ($Secret.Type -eq 'PSCredential') { $SecInfo = Get-Secret -Vault $VaultName -Name $Secret.Name -AsPlainText $Obj = [PSCustomObject]@{ Name = $Secret.Name Type = [string]$Secret.Type Secret = @{ UserName = $SecInfo.UserName Password = $SecInfo.Password | ConvertFrom-SecureString -AsPlainText } } } $Data.Add($Obj) | Out-Null } #TODO Better export file name, use date format $outFile = Join-Path -Path $OutPath -ChildPath 'Backup_Vault.json' $Data | ConvertTo-Json | Out-File -FilePath $outFile } <# .SYNOPSIS Imports secrets from a backup file into a specified vault. .DESCRIPTION This function imports secrets from a backup file (generated by same module) into a specified vault. It checks if the secret already exists in the vault and either adds it or updates it based on the OverWrite switch parameter. .PARAMETER VaultName The name of the vault where the secrets will be imported. .PARAMETER BackupFile The path to the backup file containing the secrets to be imported. .PARAMETER OverWrite A switch parameter that specifies whether existing secrets in the vault should be overwritten if they already exist. .EXAMPLE Import-Secret -VaultName "MyVault" -BackupFile "C:\Path\to\backup.json" -OverWrite Imports secrets from the specified backup file into the "MyVault" vault, overwriting existing secrets if they already exist. #> function Import-Secret { [CmdletBinding()] param ( [Parameter(Mandatory)] [string] $VaultName, [Parameter(Mandatory)] [string] $BackupFile, [switch] $OverWrite ) Test-VaultAccess -VaultName $VaultName #TODO Test JSON Syntax $JSONData = Get-Content -Path $BackupFile -Raw | ConvertFrom-Json foreach ($Secret in $JSONData) { if (Get-SecretInfo -Vault $VaultName -Name $Secret.Name) { $SecretExists = $true } else { $SecretExists = $false } if (-not $SecretExists -or $OverWrite) { if ($Secret.Type -eq 'String' -or $Secret.Type -eq 'SecureString') { Set-Secret -Vault $VaultName -Name $Secret.Name -Secret $Secret.Secret } elseif ($Secret.Type -eq 'PSCredential') { $username = $Secret.Secret.UserName $password = $Secret.Secret.Password | ConvertTo-SecureString -AsPlainText $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $password Set-Secret -Vault $VaultName -Name $Secret.Name -Secret $credential } } } } function Test-VaultAccess { [CmdletBinding()] param ( [Parameter()] [string] $VaultName ) #TODO check if secret module is installed Try { Test-SecretVault -Name $VaultName -ErrorAction Stop | Out-Null } Catch { "Unable to access Vault! `n{0}" -f $Error[0] | Write-Error -ErrorAction Stop } } |