PowerPass v2.2.1

NOTE: This is a BREAKING CHANGE from v1.x. If you are on v1.x please EXPORT your Locker before deploying v2.x. If your forget to do this, simply go back to v1.6.2, export your Locker, then deploy v2.2.1. PowerPass will not overwrite your Locker or your Locker keys if they already exist.

Bug Fixes

[macOS] Lockers cannot be opened after reboot

Release 2.2.1 fixes a bug in macOS where ephemeral key generation uses the MAC address of an adapter with a dynamic address assigned at start up. After rebooting your Mac, you could no longer read secrets from your Locker. The fix excludes two adapaters from consideration as candidates for ephemeral key generation to avoid this problem.

Deployment

To install PowerPass:

1. Clone the repo, download this release, or download the source code for this release
2. Run .\Deploy-PowerPass.ps1 in any PowerShell terminal (you will need write access to this folder)

For detailed information about deployment see the Deployment article in the online documentation.

File Hashes

Release	SHA256 Hash
PowerPass-2.2.1.tar.gz	C5CD4628C3B520F4B8A2F36BE3FDDF5BF031386A03B029A98B63A0CF8AE6D4CD
PowerPass-2.2.1.zip	D180B0CD907B549F861D6324CB0D78F00AAF6691CB21137F0A0A028456309D15

PowerPass v2.2.0

NOTE: This is a BREAKING CHANGE from v1.x. If you are on v1.x please EXPORT your Locker before deploying v2.x. If your forget to do this, simply go back to v1.6.2, export your Locker, then deploy v2.2.0. PowerPass will not overwrite your Locker or your Locker keys if they already exist.

New Features

Importing Secrets from KeePass 2 Databases

Version 2.2.0 of PowerPass adds a new feature to the Data Protection API edition for Windows PowerShell. The newly added Import-PowerPassSecrets cmdlet allows you to copy all the secrets from a KeePass 2 database into your PowerPass Locker so that they can be exported to a separate location, like another computer, or used from your Locker instead.

Version Number

Version 2.2.0 of PowerPass adds the module version to the output of Get-PowerPass using the Version property which will allow you to easily fetch the version of PowerPass you have deployed.

Bug Fixes

Open-PowerPassDatabase does not honor relative paths

Release 2.2.0 fixes a bug in the Data Protection API edition of PowerPass when working with KeePass 2 databases. The Open-PowerPassDatabase cmdlet had an error with the -Path parameter where relative paths were ignored and caused the cmdlet to report an error that it cannot find the database file.

Deployment

To install PowerPass:

1. Clone the repo, download this release, or download the source code for this release
2. Run .\Deploy-PowerPass.ps1 in any PowerShell terminal (you will need write access to this folder)

For detailed information about deployment see the Deployment article in the online documentation.

File Hashes

Release	SHA256 Hash
PowerPass-2.2.0.tar.gz	DCFC865146CA1AC568AF4065AE7E8E19FF8FFA286628721B6C92E238CA71391C
PowerPass-2.2.0.zip	D6AC8F716ED0718F11829CCC64EAB53499644D58DD05B95C49D7EE1D7524A6C4

PowerPass v2.1.2

NOTE: This is a BREAKING CHANGE from v1.x. If you are on v1.x please EXPORT your Locker before deploying v2.x. If your forget to do this, simply go back to v1.6.2, export your Locker, then deploy v2.1.2. PowerPass will not overwrite your Locker or your Locker keys if they already exist.

Bug Fixes

Excessive memory usage and long processing delay when fetching large attachments

Release v2.1.2 resolves issue #5. This issue was causing large processing delays and memory leaks with large attachments. See details below in Performance Optimization.

Performance Optimization

AMSI Workaround

This release of PowerPass includes a performance optimization for large attachments. In PowerShell 7 and above, there is an anti-malware subsystem which will engage on certain calls to .NET CLR functions causing a severe performance penalty with larger attachments. While it is not advised to store large attachments with PowerPass (files over 10 MiB in size), you can certainly do so if needed. The optimizations in PowerPass v2.1.1 and v2.1.2 eliminates the overhead of the calls to the anti-malware subsystem when attachments are read from and written into your Locker. Your anti-virus software will still monitor file system access (assuming you have it enabled on your computer), but it will no longer monitor in-memory attachment read operations performed by PowerPass itself.

Write-Output Memory Leak

This release of PowerPass also fixes an issue which occurs when you retrieve large attachments from your Locker. In Windows PowerShell 5.1 the Write-Output cmdlet leaks memory and never completes with large [byte[]] attachments, such as those that are in the 200 MiB or larger range.

Deployment

To install PowerPass:

1. Clone the repo, download this release, or download the source code for this release
2. Run .\Deploy-PowerPass.ps1 in any PowerShell terminal (you will need write access to this folder)

For detailed information about deployment see the Deployment article in the online documentation.

File Hashes

Release	SHA256 Hash
PowerPass-2.1.2.tar.gz	E262090BFA88A3F5EC4F3BFB312283C7930E415ED39C78074BF09DE5EBB59ACD
PowerPass-2.1.2.zip	E71C7B0D6B4A75A5CEB3D30FB43762CE2DFBA95C4357CFA48FE80A00EE50276E

PowerPass v2.1.1

NOTE: This is a BREAKING CHANGE from v1.x. If you are on v1.x please EXPORT your Locker before deploying v2.x. If your forget to do this, simply go back to v1.6.2, export your Locker, then deploy v2.1.0. PowerPass will not overwrite your Locker or your Locker keys if they already exist.

Performance Optimization

This release of PowerPass includes a performance optimization for large attachments. In PowerShell 7 and above, there is an anti-malware subsystem which will engage on certain calls to .NET CLR functions causing a severe performance penalty with larger attachments. While it is not advised to store large attachments with PowerPass (files over 10 MiB in size), you can certainly do so if needed. The optimizations in PowerPass v2.1.1 eliminate the overhead of the calls to the anti-malware subsystem when attachments are read from and written into your Locker. Your anti-virus software will still monitor file system access (assuming you have it enabled on your computer), but it will no longer monitor in-memory operations on your PowerPass Locker performed by PowerPass itself.

Deployment

To install PowerPass:

1. Clone the repo, download this release, or download the source code for this release
2. Run .\Deploy-PowerPass.ps1 in any PowerShell terminal (you will need write access to this folder)

For detailed information about deployment see the Deployment article in the online documentation.

File Hashes

Release	SHA256 Hash
PowerPass-2.1.1.tar.gz	C068DC826876AC4C1C8B8341DC4702332EE46D4C2FE59C7CE271B883A9AC7BEF
PowerPass-2.1.1.zip	700AF897F1D682F274885869186E4D3C29B9DA89542EB27E165505447023A518

PowerPass v2.1.0

NOTE: This is a BREAKING CHANGE from v1.x. If you are on v1.x please EXPORT your Locker before deploying v2.x. If your forget to do this, simply go back to v1.6.2, export your Locker, then deploy v2.1.0. PowerPass will not overwrite your Locker or your Locker keys if they already exist.

Attachment Compression

This latest release of PowerPass v2.1.0 adds support for attachment compression. When loading large attachments into your Locker, add the -GZip parameter to compress the file before loading it to your Locker. This works best with large text files, such as CSV or JSON files which contain data, but is not recommended for files which are already compressed.

Breaking Changes

The v2.x branch of PowerPass breaks away from an old methodology for generating ephemeral keys within the AES edition of PowerPass. v2.x will not be able to open v1.x Lockers on the AES edition. The key format is not the same.

Key Generation

In the v1.x branch of PowerPass, AES-encrypted Locker keys were protected with an ephemeral key based on the current environment. This key was generated using command-line utilities, and while it was functional, it was liable to fail and throw an error, halting execution of the module. In the v2.x branch of PowerPass, ephemeral keys are generated using the cross-platform .NET System.Net.NetworkInformation namespace and the System.Environment class. While this makes the implementation more durable and tolerant to more scenarios, it effectively causes a change in the key format and thus breaks from the v1.x branch of PowerPass.

Deployment

To install PowerPass:

1. Clone the repo, download this release, or download the source code for this release
2. Run .\Deploy-PowerPass.ps1 in any PowerShell terminal (you will need write access to this folder)

For detailed information about deployment see the Deployment article in the online documentation.

File Hashes

Release	SHA256 Hash
PowerPass-2.1.0.tar.gz	47743DFC4475F88A5828F8143C59E4D588C48731BE351C40DABE3365B61A0443
PowerPass-2.1.0.zip	083A66ADF4D1B4ACF90F08E9FE6C2931F62CA383DB25F697AA8E5A11AFE0D249

PowerPass v2.0.0

NOTE: This is a BREAKING CHANGE from v1.x. If you are on v1.x please EXPORT your Locker before deploying v2.x.
If your forget to do this, simply go back to v1.6.2, export your Locker, then deploy v2.0.0. PowerPass will not overwrite your Locker or your Locker keys if they already exist.

Release Notes

The latest release of PowerPass version 2.0.0 breaks away from an old methodology for generating ephemeral keys within the AES edition of PowerPass. v2.x will not be able to open v1.x Lockers on the AES edition. The key format is not the same.

Key Generation

In the v1.x branch of PowerPass, AES-encrypted Locker keys were protected with an ephemeral key based on the current environment. This key was generated using command-line utilities, and while it was functional, it was liable to fail and throw an error, halting execution of the module. In the v2.x branch of PowerPass, ephemeral keys are generated using the cross-platform .NET System.Net.NetworkInformation namespace and the System.Environment class. While this makes the implementation more durable and tolerant to more scenarios, it effectively causes a change in the key format and thus breaks from the v1.x branch of PowerPass.

Data Protection Edition

The DP API edition of PowerPass in v2.0.0 is identical to v1.6.2. Nothing has changed other than the fact that the Get-PowerPassEphemeralKey cmdlet is now part of PowerPass.Common.ps1 since it is now compatible with Linux, MacOS, and Windows using a single implementation available in both .NET and the .NET Framework.

Deployment

To install PowerPass:

1. Clone the repo, download this release, or download the source code for this release
2. Run .\Deploy-PowerPass.ps1 in any PowerShell terminal (you will need write access to this folder)

For detailed information about deployment see the Deployment article in the online documentation.

File Hashes

Release	SHA256 Hash
PowerPass-2.0.0.tar.gz	6CE4F0EC8B360AABC2152BF6491A193D7015DD57A7EE0B3DEC40D2A527B66BD0
PowerPass-2.0.0.zip	D2F9BF9EF903F54BAE18F8E8F5DA61E9DA2C7D3A3B186BFA0A3374532BC2C3D7

PowerPass v1.6.2

The latest release of PowerPass version 1.6.2 adds support for attachments and updates the KeePassLib version to 2.56. You can now add, update and remove attachments from your PowerPass locker. Attachments can be added with any filename, including a full path, so they can easily be exported to the current directory, an arbitrary directory, or the original location from where they were imported.

Attachments

Release 1.6.2 of PowerPass adds six (6) new cmdlets:

1. Add-PowerPassAttachment - add attachments in bulk from the file system
2. Export-PowerPassAttachment - save attachments from your locker to files on disk
3. Get-PowerPassAttachments - list all attachments in your locker
4. Read-PowerPassAttachment - get an attachment from your locker
5. Remove-PowerPassAttachment - delete an attachment from your locker
6. Write-PowerPassAttachment - add a single attachment to your locker

Using these cmdlets you can easily add attachments to your encrypted PowerPass locker, fetch their contents at a later date, or hide files from the file system by adding files to your locker, deleting them from the file system, then exporting them later when they are needed.

Deployment

The deployment script has been modified and is now much quieter than before. To install PowerPass:

1. Clone the repo, download the release, or download the source code for this release
2. Run .\Deploy-PowerPass.ps1 in any PowerShell terminal (you will need write access to this folder)

For detailed information about deployment see the Deployment article in the online documentation.

File Hashes

Release	SHA256 Hash
PowerPass-1.6.2.tar.gz	054D919D578E4B4482B19D28FB611987D7B129792474475BE96E6927C62F746A
PowerPass-1.6.2.zip	A184107B5A6A4A7DC88268CB3175CE2EA033A385A3D12FDDEA76FCE55DFF0036

PowerPass v1.6.1

This release is missing the PowerPass.Common.ps1 file required for operation. It is here for reference, but is otherwise not for general use.

PowerPass v1.6.0

PowerPass version 1.6.0 adds support for attachments. Is has been superseded by 1.6.1 which updates the KeePassLib version to 2.56. This release includes KeePassLib 2.55 and is here if you need the older KeePassLib.

File Hashes

Release	SHA256 Hash
PowerPass-1.6.0.tar.gz	D1A79F98FFE3B57BD0C7E06D94B8D2ECD0894E6FF2D7DDCE443288CCD4716230
PowerPass-1.6.0.zip	83157F25C5329881779202B78DF5463EE0B1736EE691EB41A34669D59EE81A00

PowerPass v1.5.0

The latest release of PowerPass version 1.5.0 adds support for masked password entry, locker searching by Title (not just match), pipeline optimization, includes more test coverage, and fixes a read bug when accessing an empty locker. PowerPass has been tested in PowerShell on Linux, MacOS, and Windows.

New Features and Optimization

Masked Password Entry

Up until now, the Write-PowerPassSecret cmdlet relied on the -Password parameter to set passwords for secrets in your locker. As such, passwords had to be shown on the console if typed them in. Now, a new parameter -MaskPassword gives you the option to be prompted to enter a password which is masked as you type. For more information please refer to the cmdlet reference for AES cmdlets and/or the DP API cmdlets.

Title Parameter for Read-PowerPassLocker

Up until now, the Read-PowerPassSecret cmdlet would only let you specify a -Match parameter despite the fact that the searching was done against the Title property of the secrets collection. For consistency and intuitiveness, a new exact-match -Title parameter has been added to the Read-PowerPassSecret cmdlet given that it makes the use of the cmdlet more intuitive. For more information please refer to the cmdlet reference for AES cmdlets and/or the DP API cmdlets.

Pipeline Optimization

The Write-PowerPassSecret cmdlet has been optimized for pipeline input. You can now pipeline secrets in bulk into the write cmdlet which will optimize the loading of secrets rather than invoking the cmdlet once for each secret in a large collection. The parameters for secrets can also be pipelined by name making things like this:

Import-Csv "secrets.csv" | Write-PowerPassSecret

as easy as a single line of PowerShell. This example also executes significantly faster than if one were to use a loop.

Additional Test Coverage

The unit testing scripts have been updated to cover more scenarios. Unit testing failed to catch several minor bugs and was also not configrued to verify optimizations. The unit tests have been updated to run a more comprehensive battery of tests and also to measure write performance.

Bug Fixes

Issue # 3: Read throws an error if your locker is empty

Read-PowerPassSecret no longer throws an error if you invoke it with an empty locker.

Deployment

The deployment script has been modified and is now much quieter than before. To install PowerPass:

1. Clone the repo, download the release, or download the source code for this release
2. Run .\Deploy-PowerPass.ps1 in any PowerShell terminal (you will need write access to this folder)

File Hashes

Release	SHA256 Hash
PowerPass-1.5.0.tar.gz	4BDEB339C5BC9D0E49971430A0784F3D479A860D36AEC3B97F3D0BED3646196E
PowerPass-1.5.0.zip	5F94A7B9659DAF836DA98A9B43C81CC3FD061F0D4C003B23504249D75BCF7C0D