-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCreate-VCenterCredentials.ps1
142 lines (115 loc) · 4.81 KB
/
Create-VCenterCredentials.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
<#
.SYNOPSIS
Encrypts and stores vCenter credentials using a shared encryption key.
.DESCRIPTION
This script prompts the user to enter vCenter credentials, encrypts the password using a predefined encryption key,
and saves the encrypted password along with the username to a specified file. This setup allows multiple administrators
or automated tasks to access shared credentials securely.
.AUTHOR
virtualox
.GITHUB_REPOSITORY
https://github.com/virtualox/VM-Balancer
.LICENSE
This script is licensed under the GPL-3.0 License. See the LICENSE file for more information.
.USAGE
.\Create-VCenterCredentials.ps1
.NOTES
- Ensure that the encryption key has been generated using Generate-EncryptionKey.ps1 before running this script.
- The encryption key path and credential storage path must match those used in Balance-VMs.ps1.
- Store the encrypted credentials file in a secure location with restricted access.
#>
# === Configuration Variables ===
# Path to the encryption key file
$encryptionKeyPath = "C:\Secure\Credentials\encryptionKey.key" # <-- Must match the key generated by Generate-EncryptionKey.ps1
# Path where the encrypted credentials will be stored
$credentialPath = "C:\Secure\Credentials\vcCredentials.xml" # <-- Update this path as needed
# === End of Configuration Variables ===
# Function to check if the encryption key exists
function Test-EncryptionKeyExists {
param (
[string]$Path
)
return (Test-Path -Path $Path)
}
# Function to encrypt and store credentials
function Encrypt-And-Store-Credentials {
param (
[string]$KeyPath,
[string]$CredPath
)
try {
# Prompt user for vCenter credentials
$credential = Get-Credential -Message "Enter your vCenter credentials"
$username = $credential.Username
$password = $credential.Password
# Read the encryption key
$key = Get-Content -Path $KeyPath -Encoding Byte
# Encrypt the password
$encryptedPassword = $password | ConvertFrom-SecureString -Key $key
# Create a custom object to store username and encrypted password
$credentialObject = [PSCustomObject]@{
Username = $username
EncryptedPassword = $encryptedPassword
}
# Save the credential object to the specified path
$credentialObject | ConvertTo-Json | Set-Content -Path $CredPath -Force
Write-Output "vCenter credentials have been encrypted and stored successfully at '$CredPath'."
}
catch {
Write-Error "Failed to encrypt and store credentials: $_"
exit 1
}
}
# Function to secure the credentials file by setting appropriate permissions
function Secure-CredentialsFile {
param (
[string]$Path
)
try {
$currentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
# Secure the credentials file
$aclFile = Get-Acl -Path $Path
# Remove all existing permissions except for the current user
$accessRules = $aclFile.Access | Where-Object { $_.IdentityReference -ne $currentUser }
foreach ($rule in $accessRules) {
$aclFile.RemoveAccessRule($rule)
}
# Define the access rule: Only the current user has full control
$accessRuleFile = New-Object System.Security.AccessControl.FileSystemAccessRule(
$currentUser,
[System.Security.AccessControl.FileSystemRights]::FullControl,
[System.Security.AccessControl.InheritanceFlags]::None,
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
)
$aclFile.SetAccessRuleProtection($true, $false)
$aclFile.SetAccessRule($accessRuleFile)
Set-Acl -Path $Path -AclObject $aclFile
Write-Output "Set restricted permissions on '$Path'."
}
catch {
Write-Warning "Failed to set permissions on '$Path'. Please ensure it is secured properly."
}
}
# Main Execution
# Check if encryption key exists
if (-not (Test-EncryptionKeyExists -Path $encryptionKeyPath)) {
Write-Error "Encryption key not found at '$encryptionKeyPath'. Please generate it using Generate-EncryptionKey.ps1 before storing credentials."
exit 1
}
# Ensure the directory exists
$directory = Split-Path -Path $credentialPath -Parent
if (-not (Test-Path -Path $directory)) {
try {
New-Item -Path $directory -ItemType Directory -Force | Out-Null
Write-Output "Created directory '$directory'."
}
catch {
Write-Error "Failed to create directory '$directory': $_"
exit 1
}
}
# Encrypt and store the credentials
Encrypt-And-Store-Credentials -KeyPath $encryptionKeyPath -CredPath $credentialPath
# Secure the credentials file
Secure-CredentialsFile -Path $credentialPath