allo allo how goes?
I have an update from one of the CA guys FInian:
Encrypt passwords: Passwords stored in configuration files can be encrypted using an external command.
Encrypt Passwords in Configuration Files:
- In the Platform Management page, select Service Account Platforms.
- Select the platform that will manage the service account, and click Edit; the service account settings page appears.
- Display the Additional Policy Settings, and specify the following parameters:
■ Encryption Command – The full path of the encryption command that will encrypt the password. The encryption file can be stored in any location on the CPM machine.
■ This command sends the current password as its parameter. For example, if you specify “C:\Program Files (x86)\CyberArk\Password Manager\bin\EncExe”, the actual command would be "C:\Program Files (x86)\CyberArk\Password Manager\bin\EncExe ", and the output would be the new encrypted password. If the current password parameter is empty, the original new password will be inserted in the file.
■ Encryption Regex - The regex parameter that handles the output of the Encryption Command parameter. If this parameter is not defined, it will behave as if “(.*)” has been specified. This parameter is only relevant when the Encryption Command parameter is defined.
The encryption executable needs to be able to take the password from the command line as it is run and output the encrypted password.
If you specify “C:\Program Files (x86)\CyberArk\Password Manager\bin\EncExe”, the actual command would be "C:\Program Files (x86)\CyberArk\Password Manager\bin\EncExe "
PS C:\Program Files (x86)\CyberArk\Password Manager\bin> .\EncExe
PS C:\Program Files (x86)\CyberArk\Password Manager\bin>
This leads me to believe I can do this and have a powershell script that takes an argument, modifies it, then spits out the modified string:
param([parameter(Position=0)]pass = ( Read-Host “Input password, please” ) )
$encrypted_passs = [string]$pass + “_1”
This would be the command and output from powershell:
PS C:\Users\James> .\encrypt.ps1 test
So now I need to test if I can call that from the CPM server in the PVWA, I am led to believe from the CA team that this can be done, kinda need it as storing plaintext passes in db’s is a big no no.