Secure Storage link

Entra Auth Cli uses platform-specific secure storage mechanisms to protect sensitive authentication data. Understanding how secrets are stored helps you make informed security decisions.

Platform Security Overview link

What Gets Stored link

Profile Configuration (Plaintext) link

Location: ~/.entra-auth-cli/profiles.json

Stored in plaintext:

• Profile name
• Client ID
• Tenant ID
• Scope
• Authority URL
• OAuth2 flow preference

Example:

  {
  "profiles": [
    {
      "name": "my-service-principal",
      "clientId": "12345678-1234-1234-1234-123456789abc",
      "tenantId": "87654321-4321-4321-4321-cba987654321",
      "scope": "https://graph.microsoft.com/.default",
      "flow": "ClientCredentials"
    }
  ]
}
  

Secrets (Encrypted) link

What’s encrypted:

• Client secrets
• Certificate passwords
• Private key data

Storage location:

• Windows: DPAPI-encrypted data
• macOS: Keychain access
• Linux: XOR-obfuscated file

Windows Security (DPAPI) link

How It Works link

Data Protection API (DPAPI):

• Built into Windows
• Uses user account credentials to encrypt data
• Data is automatically tied to user profile

Security Properties:

• ✅ Strong encryption (AES-256)
• ✅ Automatic key management
• ✅ Per-user encryption
• ✅ OS-level protection

Storage Location link

Encrypted data is stored in user-specific Windows data stores. The exact location is managed by Windows.

Access Control link

• Only the same user account on the same machine can decrypt
• Administrator accounts cannot decrypt another user’s DPAPI data
• Backing up and restoring requires user profile migration

Security Considerations link

✅ Safe for:

• Development workstations
• Single-user systems
• Corporate managed devices

⚠️ Be aware:

• Data is tied to user profile
• Lost password = lost data (unless backed up properly)
• Malware running under your account can access

macOS Security (Keychain) link

How It Works link

macOS Keychain:

• System-level secure storage
• Encrypted with user’s login password
• Managed by macOS Security framework

Security Properties:

• ✅ Strong encryption (AES-256)
• ✅ Integration with Touch ID / Face ID
• ✅ Per-item access control
• ✅ Audit logging

Storage Location link

  ~/Library/Keychains/login.keychain-db
  

Note: Keychain is encrypted; you cannot read it directly.

Viewing Secrets link

Open Keychain Access app:

1. Launch: /Applications/Utilities/Keychain Access.app
2. Search for: entra-auth-cli
3. Double-click item → “Show password”
4. Authenticate with your login password

Screenshot:

Access Control link

• Requires user authentication to access
• Can be protected by Touch ID
• Can set per-item access policies

Exporting Keychain link

You can export secrets for backup:

  security export -k login.keychain-db -t identities -o backup.p12
  

⚠️ Warning: Exported files contain unencrypted secrets. Protect them carefully.

Security Considerations link

✅ Safe for:

• Development workstations
• Personal Macs
• Production automation (with proper access controls)

⚠️ Be aware:

• Malware with keychain access can extract secrets
• User password compromise = keychain compromise
• Backup keychain securely

Linux Security (XOR Obfuscation) link

⚠️ Security Warning link

How It Works link

XOR Obfuscation:

• Simple XOR cipher with fixed key
• Not encryption — just encoding
• Prevents casual viewing in text editors

Security Properties:

• ❌ No real protection
• ❌ Easily reversible
• ❌ Fixed obfuscation key in source code

Storage Location link

  ~/.entra-auth-cli/secrets.dat
  

Warning: This file contains your secrets in an easily decodable format.

Why XOR? link

Linux lacks a universal, secure secret storage mechanism:

• Keyring services vary by distribution (GNOME Keyring, KWallet, etc.)
• Not always available on servers or minimal installs
• Inconsistent APIs across distributions

XOR obfuscation is a lowest common denominator approach that works everywhere but provides minimal security.

Linux Alternatives link

1. Environment Variables link

Store secrets in environment variables:

  export AZURE_CLIENT_SECRET="your-secret"
entra-auth-cli get-token -p myprofile
  

Profile without stored secret:

  {
  "name": "myprofile",
  "clientId": "...",
  "useClientSecret": true
  // No "clientSecret" field
}
  

The tool will read from AZURE_CLIENT_SECRET if available.

2. Azure Key Vault link

Store secrets in Azure Key Vault and retrieve at runtime:

  SECRET=$(az keyvault secret show --vault-name MyVault --name ClientSecret --query value -o tsv)
entra-auth-cli get-token -p myprofile --client-secret "$SECRET"
  

3. HashiCorp Vault link

  SECRET=$(vault kv get -field=client_secret secret/entra-auth-cli)
entra-auth-cli get-token -p myprofile --client-secret "$SECRET"
  

4. Certificate Authentication link

Use certificates instead of secrets (more secure):

  entra-auth-cli config create
# Select: Certificate
# Provide: /path/to/cert.pfx
  

Certificates can be stored with restricted file permissions:

  chmod 600 /path/to/cert.pfx
chown myuser:myuser /path/to/cert.pfx
  

5. Managed Identity (Azure VMs) link

On Azure VMs, use Managed Identity (no secrets needed):

  # Configure VM with Managed Identity
# No secrets stored locally
entra-auth-cli get-token -p managed-identity-profile
  

Security Recommendations link

Certificate Storage link

How Certificates Are Stored link

Certificates are not stored by the tool. You provide the certificate path:

  {
  "name": "cert-profile",
  "certificatePath": "/path/to/certificate.pfx"
}
  

Certificate Security link

Security depends on:

1. File permissions on certificate file
2. Password protection of PFX/PKCS12 file
3. Storage location security

Best Practices link

1. Restrict File Permissions link

  # Linux/macOS
chmod 600 /path/to/cert.pfx
chown myuser:myuser /path/to/cert.pfx

# Windows
icacls cert.pfx /inheritance:r /grant:r "%USERNAME%:F"
  

2. Password-Protect Certificates link

Always use password-protected PFX files:

  # Convert to password-protected PFX
openssl pkcs12 -export -in cert.pem -inkey key.pem \
  -out cert.pfx -password pass:YourStrongPassword
  

3. Store in Secure Locations link

macOS:

  # Store in user-protected directory
~/Library/Application Support/entra-auth-cli/certs/
  

Windows:

  # Store in user profile
%USERPROFILE%\.entra-auth-cli\certs\
  

Linux:

  # Store with restricted permissions
~/.entra-auth-cli/certs/
chmod 700 ~/.entra-auth-cli/certs/
  

4. Use Certificate Stores link

Windows Certificate Store:

  # Import certificate to Windows store
certutil -user -p YourPassword -importPFX cert.pfx

# Reference by thumbprint in profile
"certificateThumbprint": "ABC123..."
  

macOS Keychain:

  # Import to Keychain
security import cert.pfx -k login.keychain -P YourPassword

# Reference by name
"certificateName": "My Certificate"
  

Secret Lifecycle link

1. Secret Creation link

Client Secret:

  entra-auth-cli config create
# Select: Client Secret
# Enter: your-secret-here
# ✓ Encrypted and stored securely
  

Certificate:

  entra-auth-cli config create
# Select: Certificate
# Enter: /path/to/cert.pfx
# Enter password: ****
# ✓ Password encrypted and stored
# ✓ Certificate path stored (plaintext)
  

2. Secret Usage link

When generating tokens:

1. Profile is read from profiles.json
2. Secrets are decrypted from secure storage
3. Used for authentication
4. Never written to logs or disk unencrypted

3. Secret Rotation link

Update secrets regularly:

  # Edit profile and update secret
entra-auth-cli config edit -p myprofile
# Select: Client Secret or Certificate
# Enter new secret
# ✓ Old secret overwritten
  

4. Secret Deletion link

When deleting a profile:

  entra-auth-cli config delete -p myprofile
# ✓ Profile removed from profiles.json
# ✓ Associated secrets removed from secure storage
  

Security Audit link

Checking What’s Stored link

List Profiles link

  entra-auth-cli config list
  

View Profile Details link

  # View non-sensitive profile data
cat ~/.entra-auth-cli/profiles.json | jq
  

Check Keychain (macOS) link

  security find-generic-password -s entra-auth-cli -g
  

DPAPI Inventory (Windows) link

Use specialized tools like dpapick to audit DPAPI-protected data.

Best Practices link

✅ Development link

• Use platform secure storage (DPAPI on Windows, Keychain on macOS)
• Separate profiles for dev/test/prod
• Short-lived secrets
• Regular rotation

✅ Production link

Windows/macOS:

• Platform secure storage is acceptable
• Certificates preferred over secrets
• Regular audits

Linux:

• ⚠️ Do not use built-in storage
• Use external secret manager (Key Vault, Vault)
• Or use certificate authentication with restricted file permissions
• Or use Managed Identity

✅ CI/CD link

• Store secrets in CI/CD secret manager (GitHub Secrets, Azure Pipelines)
• Inject at runtime
• Never commit secrets to git
• Use short-lived tokens

❌ Never link

• ❌ Commit profiles.json to git
• ❌ Share secrets via email/Slack
• ❌ Store secrets in plaintext files
• ❌ Use the same secret across environments
• ❌ Trust Linux XOR storage for production

Troubleshooting link

“Access to secure storage denied” link

Windows:

• User profile may be corrupted
• Try running as the correct user

macOS:

• Keychain may be locked
• Open Keychain Access and unlock

“Cannot decrypt secret” link

Cause: Secret was encrypted on different machine or user account

Fix:

1. Delete profile: entra-auth-cli config delete -p myprofile
2. Recreate profile: entra-auth-cli config create
3. Re-enter secret

Migrating Secrets link

Secrets are tied to user accounts and machines. To migrate:

1. Export profile configuration (plaintext):

     cat ~/.entra-auth-cli/profiles.json
     

2. On new machine, recreate profile:

     entra-auth-cli config create
   # Re-enter all secrets
     

Note: Secrets cannot be exported/imported directly due to encryption.

Next Steps link

• Creating Profiles
• Certificate Authentication Guide
• Production Deployment
• Security Best Practices