Last active
October 26, 2021 12:36
-
-
Save Froosh/7d992d55bf3b7e73b494b5f4f2495ee7 to your computer and use it in GitHub Desktop.
Set-KDSConfiguration for non-default KDS Root Key generation in Windows Server 2022. Do this **before** running Add-KdsRootKey as there is (probably) no _supported_ way to remove existing KDS Root Keys from an AD.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Requires -Version 5.1 | |
#Requires -RunAsAdministrator | |
Param ( | |
# Woo, Password Based Key Derivation Function number 2 | |
[ValidateSet('PBKDF2', 'SP800_108_CTR_HMAC')] | |
[string] | |
$KdfAlgorithm = 'PBKDF2', | |
# Honestly, SHA512 is the default on Server 2022, but this might also work on older Server versions | |
[ValidateSet('SHA512', 'SHA384', 'SHA256', 'SHA1')] | |
[string] | |
$HMAC = 'SHA512', | |
# Cheating, but really, who doesn't want to use an eliptic curve these days | |
[ValidateSet('ECDH')] | |
[string] | |
$SecretAgreementType = 'ECDH', | |
# I couldn't get 521 to work, so 384 is all you get | |
[ValidateSet(256, 384)] | |
[int] | |
$SecretAgreementKeyLength = 384 | |
) | |
# Null-terminated array of unicode bytes for the HMAC name | |
$HMACBytes = [System.Text.Encoding]::Unicode.GetBytes($HMAC) + [byte[]] @(0, 0) | |
# Get the length of the HMAC as an array | |
$HMACLength = [System.BitConverter]::GetBytes([int] $HMACBytes.Length) | |
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/9946aeff-a914-45e9-b9e5-6cb5b4059187 | |
$KdfParameters = [byte[]] @(0, 0, 0, 0, 1, 0, 0, 0) + $HMACLength + (0, 0, 0, 0) + $HMACBytes | |
# Set the preferred Key Derivation Function and HMAC length | |
Set-KdsConfiguration -KdfAlgorithm $KdfAlgorithm -KdfParameters $KdfParameters | |
# Squish the Algorithm name together with the desired key length | |
$SecretAgreementAlgorithm = '{0}_P{1}' -f $SecretAgreementType, $SecretAgreementKeyLength | |
# Set the preferred Secret Agreement Algorithm and Key Length | |
Set-KdsConfiguration -SecretAgreementAlgorithm $SecretAgreementAlgorithm -SecretAgreementPublicKeyLength $SecretAgreementKeyLength -SecretAgreementPrivateKeyLength $SecretAgreementKeyLength -SecretAgreementParameters $null |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment