Protecting PowerShell secrets with certificate on Yubikey

Intro Sometimes you need to store secrets and PowerShell has a great way of encrypting text for you with the *-CMSMessage cmdlets! Now what if I want other people to be able to encrypt information without being able to decryot it again or if I want to encrypt something myself and only be able to decrypt it by going through a certain procedure like checking out the decryption-key from a secure storage?

Using a Yubikey for PowerShell CodeSigning

Intro I have a public codesigning certificate issued by DigiCert. I want to be able to sign my PowerShell scripts anywhere, for example when I’m at a customer, but it’s a hassle having to move the code to where I have my code signing certificate just to sign it. I’ve been experimenting with build jobs in VSTS so if I check in a script a build job will automatically sign it for me, but that requires access to internet and VSTS.

Set up Yubikey for PowerShell Code Signing

Intro As I wrote in my previous post Using a Yubikey for PowerShell CodeSigning I’m using a Yubikey to store my code signing certificate. This way I can easily carry my cert with me, use it on different computers and not have to worry about losing my private key. In this post, I’m describing how I set up my Yubikey. Setting up the key The Yubikey has a small command line tool called the “piv-tool”, it’s downloadable from Yubico’s website.