Multiple users setup : ConvertFrom-SecureString : The specified key is not valid. #102
Comments
|
Interesting! 16 bytes = 128 bits, so it's almost like the ConfigKey is
getting wiped out later on.
Checking this out, thanks for including the environment info!
Does creating the config with a key work for you on your local machine?
…On Mon, Oct 15, 2018 at 5:40 AM Harlequin69 ***@***.***> wrote:
Hi Nate,
I have been trying to setup PSGsuite for multiple users on our server but
keep the ConvertFrom-SecureString : The specified key is not valid.
error. Below is using your example code:
[image: securestringerror]
<https://user-images.githubusercontent.com/19877174/46946004-51abe580-d06e-11e8-9ffa-b9f91ab27f26.PNG>
I also get it when trying:
$AESKey = New-Object Byte[] 16
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey)
Import-Module PSGSuite -ArgumentList $AESKey
Any ideas?
Thanks,
Neil
Environment:
- OS: MS Server 2012 R2
- PowerShell Version: Windows PowerShell 5.1]
- PSGSuite Version: 2.15.4
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#102>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AMIo3VBYH9yPFXfIwZ6k-ABMdyGByL3Kks5ulGYVgaJpZM4XcDz1>
.
|
|
Hey, Yeah odd one. No worries anything I can test to help let me know. I have just tested with my Win10 machine also PS 5.1 and tested with PS 6 Core with the same results. |
|
Thanks for testing! Seeing if I can replicate on my end and figure out what's happening. I'm assuming that it's the same behavior on the latest version (2.16.1) since nothing with that process has changed for a while, but could you upgrade and retest whenever possible? Shouldn't need to run the gamut, just a single test in whichever PS console you have open when you update. |
|
No problem, same results with 2.16.1 |
|
Gotcha! Thanks for testing! I'll update here once I have time to try and replicate! Sent with GitHawk |
|
Hey @n-searle / @NeilSearle - Are you installing the module from the PSGallery or through another method? |
|
Hey Nate, Installed via PSGallery. From a fresh start on my home machine I have just installed PSGSuite from PSGallery and tried the demo codes in case it was some funny work GPO related issue but same error. Are you having trouble replicating the issue? Cheers, |
|
I'm not able to replicate it so far on my dev box. Going to fire up a fresh VM shortly though and see if I can replicate. It looks like the ConfigKey variable isn't be set and carried over to the Configuration module as expected though; that's the only thing I can think of that would throw that error, considering the byte array you're creating is 128-bit. I can replicate it outside of the module by trying to provide an empty byte array as the key to |
|
Anything else I can do let me know :) Cheers |
|
Will do, thanks, Neil! I was just able to replicate it on my VM, should be in good shape to figure out what's happening now =] |
|
Got it fixed by switching the EncryptionKey to a Global scoped variable instead of a Script scope. I should be able to have this worked out and deployed by tonight! |
|
Nice work 👍 thanks for looking into it :) |
|
Alright, GitHub is currently going through a data outage, but I have this in a PR ready to deploy as soon as GitHub gets their outage sorted out. Should hopefully have this out by tomorrow! |
…103 ## 2.17.0 * [Issue #102](#102) * Fixed: `$EncryptionKey` PSM1 parameter now stores the AES key correctly so SecureStrings are encrypted/decrypted as intended. * [Issue #103](#103) * Updated: `SendNotificationEmail` parameter on `Add-GSDrivePermission` defaults to false for all User & Group permissions that are not ownership transfers. * Updated: Documentation for `SendNotificationEmail` parameter on `Add-GSDrivePermission` for clarity towards default Google API parameter values. * Added: More unit testing for `Get-GSUser` * Updated: `psake` build script
|
hey @NeilSearle / @n-searle - v2.17.1 is available now, can you give it a whirl and let me know if it works alright for you? |
|
Hiya Nate, Unfortunately I am getting same results with the demo code.
I have also tried the following test code, the key is generated first with the commented out code then read back in.
This is on my work machine and home machine with PSGSuite 2.17.1 and PS 5.1. Cheers, |
|
alright, thanks for checking Neil!! I'm on it 👊 |
|
@NeilSearle / @n-searle - after you try that import, do you have your correct key in |
|
Can you also try passing the $key = [byte[]]@(1..16)
Import-Module PSGSuite -ArgumentList $key,$null |
|
you can see the difference below, but basically, without passing a second argument, it's only pulling in the first Byte of the key for some reason. I updated my dev psm1 to read back the bit-depth of the key ( [I ♥ Code]> $key = [byte[]]@(1..16)
[I ♥ Code]> Import-Module .\out\PSGSuite\2.17.2\PSGSuite.psd1 -Force -ArgumentList $key,$null
$global:PSGSuiteKey is set to a 128-bit key!
WARNING: There was no config returned! Please make sure you are using the correct key or have a configuration already saved.
[I ♥ Code]> Import-Module .\out\PSGSuite\2.17.2\PSGSuite.psd1 -Force -ArgumentList $key
$global:PSGSuiteKey is set to a 8-bit key!
WARNING: There was no config returned! Please make sure you are using the correct key or have a configuration already saved. |
|
Hi Nate, I can confirm that behaviour, with 2nd param $null:
Without 2nd param $null
Cheers |
|
Awesome! I'm going to update the docs asap. Is it working as expected when deploying to remote machines? Sent with GitHawk |
|
I'll get onto testing that and let you know. Can you also clarify the precedence in which available configs get imported. For example if an unencrypted machine config was present and a user level config is available or if an encrypted machine config and encrypted user config was present which would be the actual config that would be used? Thanks for your work on this. Cheers, |
|
Hi Nate, Have been testing on the 2012 R2 Machine and yep looks like it's all sorted. Thanks, |
|
Hey @NeilSearle / @n-searle - don't know why I'm just seeing your responses now, but thank you for confirming! For the precedence question, I'll need to revisit the logic I added on top of the Configuration module to make it work with AES keys, as I had to break the built-in layering a bit to bend it the way I wanted. I know that the decryption method is set on module import, so if you specify a key and it attempts to decrypt a config not encrypted with that key, it will fail. I don't believe it tries all available configs, but that's something to validate and possibly add in since I can see the value add when combining a personal config with something deployed with a key. Keeping this open as a reminder to check that out! |
|
Hey @NeilSearle / @n-searle - The current module breaks the nested configuration that comes with the Configuration module in favor of being able to use AES keys to encrypt/decrypt (nesting with different encryption methods proved to be a bit unwieldy). Going to close this out now, feel free to open another issue if needed! Cheers! |
Hi Nate,
I have been trying to setup PSGsuite for multiple users on our server but keep the
ConvertFrom-SecureString : The specified key is not valid.error. Below is using your example code:I also get it when trying:
Any ideas?
Thanks,
Neil
Environment:
The text was updated successfully, but these errors were encountered: