update

setup/main.ps1

@@ -93,8 +93,16 @@ If ($Locale -eq $null) {
 }
 
 try {
-    $encryptedSecret = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name 'gsaConfigExportLatest' -AsPlainText
-    $RuntimeConfig = ConvertFrom-SecureString $encryptedSecret | ConvertFrom-Json | Select-Object -Expand runtime
+# Get and decrypt the config from Key Vault
+    $encryptedConfig = Get-AzKeyVaultSecret -VaultName $keyVaultName -Name 'gsaConfigExportLatest' -AsPlainText -ErrorAction Stop
+    $encryptedBytes = [Convert]::FromBase64String($encryptedConfig)
+    $decryptedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
+        $encryptedBytes,
+        $null,
+        [System.Security.Cryptography.DataProtectionScope]::CurrentUser
+    )
+    $configString = [System.Text.Encoding]::UTF8.GetString($decryptedBytes)
+    $RuntimeConfig = $configString | ConvertFrom-Json
     Set-AzContext -SubscriptionId $RuntimeConfig.subscriptionId
 }
 catch {
@@ -476,7 +484,3 @@ Add-LogEntry 'Information' "Completed execution of main runbook" -workspaceGuid
 # vduHbe/rUCbpQefqNRPCsYhO6dp/k6CH5XGin8lPPIDdRl+LaSY13QYD9rWEeAFo
 # A6om4dcNwSng2HswnGtUaDxiDTtAqPv1F5RTFD0ILoHWkDjD4NwHiodDPKn7pbFV
 # yOVynr1zu8cGneK2fBidzculEjzOfaASvM/aH/oDSpTrM8ZKKURcEsU+PqxeByn2
-# yMExxoMHREyWswmY3LtDgo36H0D1SGJ8OcVHhzGFFV5Q9/u8jodCy2JNH83BuKGh
-# 1euy9uKef3TlcDqKCnG2Oaxd6OzqfCTWgWazjQ0M2OZOurZWbXBMVTJuD6GUxNSm
-# z8oLhvJYXybSsUZJ6zHql7KukNVheG7WXTrb6Pe0
-# SIG # End signature block

src/GuardrailsSolutionAcceleratorSetup/modules/Deploy-GuardrailsSolutionAccelerator/Deploy-GuardrailsSolutionAccelerator.psm1

@@ -433,9 +433,17 @@ Function Deploy-GuardrailsSolutionAccelerator {
             'deployerAzureID'       = $config['runtime']['userId']
         }
 
-        # $secureValue = 
-        # $secretValue = ConvertFrom-SecureString $secureValue
-        Set-AzKeyVaultSecret -VaultName $config['runtime']['keyVaultName'] -Name $configSecretName -SecretValue (ConvertTo-SecureString -String (ConvertTo-Json $config -Depth 10) -AsPlainText -Force) -Tag $secretTags -ContentType 'application/json' -Verbose:$useVerbose | Out-Null
+        $jsonConfig = ConvertTo-Json $config -Depth 10
+        $encryptedBytes = [System.Security.Cryptography.ProtectedData]::Protect(
+            [System.Text.Encoding]::UTF8.GetBytes($jsonConfig),
+            $null,
+            [System.Security.Cryptography.DataProtectionScope]::CurrentUser
+        )
+        $encryptedBase64 = [Convert]::ToBase64String($encryptedBytes)
+        $secureString = ConvertTo-SecureString $encryptedBase64 -AsPlainText -Force
+
+        Set-AzKeyVaultSecret -VaultName $config['runtime']['keyVaultName'] -Name $configSecretName `
+            -SecretValue $secureString -Tag $secretTags -ContentType 'application/json' -Verbose:$useVerbose | Out-Null
 
         Write-Host "Completed deployment of the Guardrails Solution Accelerator!" -ForegroundColor Green
     }

src/GuardrailsSolutionAcceleratorSetup/modules/Get-GSAExportedConfig/Get-GSAExportedConfig.psm1

@@ -1,3 +1,5 @@
+Add-Type -AssemblyName System.Security
+
 Function Get-GSAExportedConfig {
     <#
     .SYNOPSIS
@@ -45,11 +47,21 @@ Function Get-GSAExportedConfig {
     }
 
     try {
-        [string]$configValue = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name 'gsaConfigExportLatest' -AsPlainText -ErrorAction Stop
+        $encryptedConfig = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name 'gsaConfigExportLatest' -AsPlainText -ErrorAction Stop
+        $encryptedBytes = [Convert]::FromBase64String($encryptedConfig)
+        $decryptedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
+            $encryptedBytes,
+            $null,
+            [System.Security.Cryptography.DataProtectionScope]::CurrentUser
+        )
+        $configString = [System.Text.Encoding]::UTF8.GetString($decryptedBytes)
+
+        # Return the decrypted config string
+        [PSCustomObject]@{
+            configString = $configString
+        }
     }
     catch {
-        Write-Error -Message "Unable to retrieve the latest configuration from the Key Vault. Please ensure that the Key Vault exists and that the latest configuration has been exported. Message: $_" -ErrorAction Stop
+        Write-Error -Message "Unable to retrieve and decrypt the latest configuration from the Key Vault. Please ensure that the Key Vault exists and that the latest configuration has been exported. Message: $_" -ErrorAction Stop
     }
-
-    return (New-Object -TypeName PSObject -Property @{configString = $configValue})
 }