Secure Password With PowerShell - Encrypting Credentials - Part 1

2/26/2019 Secure Password with PowerShell: Encrypting Credentials - Part 1 - PDQ.
com
Subscribe now
Secure Password with PowerShell:

Encrypting Credentials – Part 1
Kris Powell in PowerShell
Subscribe
February 26, 2015
Like many systems administrators out there, I’ve often found myself with a
task that needs to be automated. Automating is great with PowerShell until
you need to pass credentials into a script.
At this point, I have seen many administrators put passwords into the body of
their script. For testing purposes, this may be forgiven, but in production
scripts, putting your passwords in plain view isn’t just a bad thing…it’s a
terrifying thing. It should be a cardinal sin. But you can secure a password with
Powershell (or at least reduce password visibility).
First, we should touch base on how to supply a credential without having to

save it directly in your script.
Get-Credential and Read-Host

You can create a PSCredential object by using the cmdlet Get-Credential and
storing the output into a variable. You can pass that variable directly into
cmdlets that support PSCredential objects.
$MyCredential = Get-Credential
Sign Up For Blog Notifications ×

Get notified when new blogs are posted

Subscribe now
https://www.pdq.com/blog/secure-password-with-powershell-encrypting-credentials-part-1/ 1/11
2/26/2019 Secure Password with PowerShell: Encrypting Credentials - Part 1 - PDQ.com
Subscribe now
Notice that when you access the variable $MyCredential, you are able to see
the username but you are unable to see the password. It only displays,
“System.Security.SecureString” on the screen. This is because the password is
now stored as a SecureString.
You can then use this new PSCredential object directly with cmdlets that
support PSCredential objects. You can also individually reference the
username or the password for cmdlets that don’t accept a PSCredential object
but will support username and password parameters.
In those cases, you can use $MyCredential.Username and

$MyCredential.Username
Try PDQ Deploy
Alternatively, you can use Read-Host to prompt for input and store the result
in a variable. This includes prompting for a SecureString (for a password).
$user = Read-Host "Enter Username"

$pass = Read-Host "Enter Password" -AsSecureString

Subscribe now
Subscribe now
Notice that the output is very similar to the output of the Get-Credential
variable we used, $MyCredential. It shows the username as, “MyUserName”
and the password as, “System.Security.SecureString.”
This is great for manual runs of scripts as it helps to remove the password from
the script, but it doesn’t really help with our automation. We’re looking for a
solution that will be able to run automatically without having to constantly
supply credentials via Get-Credential/Read-Host or by leaving our passwords
in plain view for anybody to read.
ConvertTo-SecureString – Encrypting passwords

and other strings
ConvertTo-SecureString is used to convert plain text or encrypted standard
strings into a SecureString object. The SecureString object can be used with
cmdlets that support parameters of type SecureString, as is the case with a
PSCredential object. You can use the command directly or pipe results into the
command.
Syntax:
ConvertTo-SecureString [-String] SomeString

SecureKey SecureString]
ConvertTo-SecureString [-String] SomeString [-SecureKey
Key Byte[]]
ConvertTo-SecureString [-String] SomeString [-Key
ConvertTo-SecureString [-String] SomeString [-AsPlainText
AsPlainText] [-Force
Force]
String String
–String Get notified when new blogs are posted
The string to convert to a SecureString

Subscribe now
Subscribe now
SecureKey SecureString
–SecureKey
Encryption key as a SecureString.
Key Byte[]
–Key
Encryption key as a byte array.
–AsPlainText
AsPlainText
Tells command to treat string as plain text. The string is not encrypted when
using this command. Because of the lack of security, the -Force parameter is
also required.
–Force
Force
Con rms you understand the lack of security when using -AsPlainText
When you are not using the –Key

Key or –SecureKey
SecureKey parameters, PowerShell uses
the Windows Data Protection API (DPAPI) to encrypt/decrypt your strings.
This effectively means that only the same user account on the same computer
will be able to use this encrypted string. That is something to keep in mind as
you attempt to automate any scripts. If you’re using a service account, you’ll
need to use the –Key
Key or -SecureKey parameters.
Let’s say, for example, you want to take the text, “P@ssword1” and convert it
to a SecureString. Since this is a plain text string, we’re going to use the –
AsPlainText and –Force
Force parameters.
"P@ssword1" | ConvertTo-SecureString -AsPlainText -Force
The result is a SecureString object. Unfortunately, you cannot directly save a ×

Sign Up For Blog Notifications
SecureString object to a le for later use. You have to convert this SecureString
object to an encrypted standard string. You can do this with ConvertFrom- 
Subscribe now
Subscribe now
SecureString.
ConvertFrom-SecureString – Saving encrypted

standard strings
ConvertFrom-SecureString is used to convert secure strings into encrypted
standard strings. You can use the command directly or pipe results into the
command.
Syntax
yntax:
ConvertFrom-SecureString [-SecureString] SecureString

ConvertFrom-SecureString [-SecureString] SecureString [-SecureKey
SecureKey
SecureString]
Key Byte[]]
ConvertFrom-SecureString [-SecureString] SecureString [-Key
String String
–String
The string to convert to a SecureString
SecureKey SecureString
–SecureKey
Encryption key as a SecureString.
Key Byte[]
–Key
Encryption key as a byte array.
Following the same example above, we’ll take the output of the previous
example and pipe it into the ConvertFrom-SecureString command to get an
encrypted standard string.
"P@ssword1" | ConvertTo-SecureString -AsPlainText -Force |

ConvertFrom-SecureString

Subscribe now
Subscribe now
The result is an encrypted standard string that you can then save for later
retrieval.
Putting it all together

We now know how to convert a SecureString to an encrypted standard string.
We can take any method we like to get a SecureString, convert it to a standard
string and then save it to a le. Here is an example of each:
Exporting SecureString from Plain text
"P@ssword1" | ConvertTo-SecureString -AsPlainText -Force |

ConvertFrom-SecureString | Out-File "C:\Temp 2\Password.txt"
Exporting SecureString from Get-Credential
(Get-Credential).Password | ConvertFrom-SecureString | Out-File

"C:\Temp 2\Password.txt"
Exporting SecureString from Read-Host
Read-Host "Enter Password" -AsSecureString | ConvertFrom-

SecureString | Out-File "C:\Temp 2\Password.txt"
Any one of these examples should provide you with a Password.txt le that has
an encrypted standard string the represents the password.


Subscribe now
Subscribe now
When you need to use this encrypted password, you simply reverse the process
by importing the data from your le and use ConvertTo-SecureString. If all you
need is a SecureString, you can stop there. You could even take it a step further
and create a PSCredential object.
Creating SecureString object
$pass = Get-Content "C:\Temp 2\Password.txt" | ConvertTo-

SecureString
Creating PSCredential object
$User = "MyUserName"
$File = "C:\Temp 2\Password.txt"
$MyCredential=New-Object -TypeName
System.Management.Automation.PSCredential `
-ArgumentList $User, (Get-Content $File | ConvertTo-SecureString)
Final Notes
This will not stop anybody who knows what they’re doing from decrypting
your password or from reusing your encrypted password if they ever are able to
compromise your login. The whole point of converting your password to a
SecureString and storing it in a le is to keep it out of plain text in your scripts
so that it’s not as easily discovered. It’s not foolproof, but it’s pretty good.
As mentioned above, when you are not specifying a key or securekey, this will
only work for the same user on the same computer will be able to decrypt the
encrypted string if you’re not using Keys/SecureKeys. Any process that runs
under that same user account will be able to decrypt that encrypted string on
that same machine.

Subscribe now
Subscribe now
If you want to be able to share a credential with multiple machines/logins/etc,
then you’ll need to use Keys/SecureKeys. I’ll save that for another post.
***Read part 2 here***
Did you know that PDQ Deploy has a PowerShell step you can use to
deploy your scripts?
This blog post is part of a series on Powershell:
How to Write Your First Powershell Script

How to Add Printers with Powershell
Searching Through Files for Matching Strings
Get-Date Cmdlet
Get-Command and Get-Member
Get-Help
Console Window Tips
Get CPU Usage for a Process Using Get-Counter
Sending Email (with Gmail example)
Zip up les using .NET and Add-Type
Text-to-Speech Examples
Running .NET 4 with PowerShell Version 2.0
Silently Change Firefox Default Search Providers
Copying Individual Files and Renaming Duplicates
Sending a Wake-On-LAN (WOL) Magic Packet
Secure Password with PowerShell: Encrypting Credentials - Part 1
Secure Password with PowerShell: Encrypting Credentials - Part 2
Create Shortcuts on User Desktops using Powershell
Using PowerShell to Set Static and DHCP IP Addresses - Part 1
Using PowerShell to Set Static and DHCP IP Addresses - Part 2
Sign Up For
Capturing Screenshots with PowerShell andBlog Notifications
.NET
×
Get notified
Using Get-ChildItem to Find Files by Date whenand
new Time
blogs are posted

Subscribe now

Secure Password With PowerShell - Encrypting Credentials - Part 1

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Secure Password With PowerShell - Encrypting Credentials - Part 1

Caricato da

Copyright:

Formati disponibili

2/26/2019 Secure Password with PowerShell: Encrypting Credentials - Part 1 - PDQ.

Secure Password with PowerShell:

First, we should touch base on how to supply a credential without having to

Get-Credential and Read-Host

Sign Up For Blog Notifications ×

In those cases, you can use $MyCredential.Username and

Try PDQ Deploy

$user = Read-Host "Enter Username"

ConvertTo-SecureString – Encrypting passwords

ConvertTo-SecureString [-String] SomeString

When you are not using the –Key

"P@ssword1" | ConvertTo-SecureString -AsPlainText -Force

The result is a SecureString object. Unfortunately, you cannot directly save a ×

ConvertFrom-SecureString – Saving encrypted

ConvertFrom-SecureString [-SecureString] SecureString

The string to convert to a SecureString

"P@ssword1" | ConvertTo-SecureString -AsPlainText -Force |

Putting it all together

Exporting SecureString from Plain text

"P@ssword1" | ConvertTo-SecureString -AsPlainText -Force |

Exporting SecureString from Get-Credential

(Get-Credential).Password | ConvertFrom-SecureString | Out-File

Exporting SecureString from Read-Host

Read-Host "Enter Password" -AsSecureString | ConvertFrom-

Sign Up For Blog Notifications ×

Creating SecureString object

$pass = Get-Content "C:\Temp 2\Password.txt" | ConvertTo-

Creating PSCredential object

***Read part 2 here***

This blog post is part of a series on Powershell:

How to Write Your First Powershell Script

Potrebbero piacerti anche

Read part 2 here