This PowerShell script allows you to track configuration changes in PasswordState. It reads the full configuration directly from the database and writes it to JSON files. You can then store these files in any version control system (like git).
- PasswordState version 9.8 (see compatibility below)
- A user account with read access to the passwordstate database
- Powershell 7
- Powershell Module SQLServer
- Before running the script for the first time, create a new directory for storing the configuration data (json files).
- Run the script pwdstateconfig2json.ps1 while providing the required parameters.
- -OutputPath: Directory for storing the configuration data. Existing files are overwritten.
- -DBServerInstance: The name of the SQL Server instance ("hostname\instance").
- -DBName: The name of the database.
- -DBConnectionEncrypt: Whether and how to encrypt the connection to the database. See the documentation for Invoke-Sqlcmd.
- -ConnectionString: The connection string to connect to the database server. Use this parameter instead of DBServerInstance, DBName and DBConnectionEncrypt to get full control of the connection.
The current version has been tested with PasswordState version 9.8 Build 9858. Whether it works with other versions depends on the differences in the DB Schema. See the PasswordState Change log.
The script masks sensitive data that is part of the configuration, such as keys and passwords. It replaces these values with asterisks before the data is stored on disk. Some non-sensitive data is also masked. This applies to data that changes regularly as a result of normal operations (hence, it is not configuration data).
Note: All fields of type VarBinary are masked. Most of these are encrypted (according to ClickStudios support). Encryption keys are obviously not encrypted, but they are masked as well. I may still have missed some data that should be masked. Please let me know by creating an issue.