Shared Partial Configurations (ConfigurationNames) and encrypted credentials.
At the moment to use encrypted credentials in partial configurations with ConfigurationNames it is necessary to share certificate across all nodes, else decryption will fail. I believe it should be technically possible to use more dynamic approach:
- encrypt MOF with certificate for which pull server has private key
- during registration client would send over certificate for which it has private key so that pull server can encrypt any credentials in the mofs sent to this node with this certificate.
At the moment it's manual labour on the operators side: make sure that encrypt/decrypt just works. It would be nice if pull server could do more of the heavy-lifting here.
Benoit Desormeaux commented
As Michael stated, securing credentials is one thing but managing the certificates is either a management nightmare or a not-so-secure concern.
I'd like to see this in an upcoming update. The pull server should be able to manage the encryption. This, without the need to manage a private key on the node side as well as its public key set dumped somewhere accessible by the pull server. +1 for Bartek Bielawski idea.
Michael Stankiewicz commented
I would add to this: make this feature applicable to DSC credential encryption management in general, not just for partial configurations. The current solution has you either maintaining a certificate for each node in your configurations (unmanageable) or installing and using the same private key for all nodes (not the most secure option). Thus, I like this idea!