Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
com
Subscribe now
Like many systems administrators out there, I’ve often found myself with a
task that needs to be automated. Automating is great with PowerShell until
you need to pass credentials into a script.
At this point, I have seen many administrators put passwords into the body of
their script. For testing purposes, this may be forgiven, but in production
scripts, putting your passwords in plain view isn’t just a bad thing…it’s a
terrifying thing. It should be a cardinal sin. But you can secure a password with
Powershell (or at least reduce password visibility).
$MyCredential = Get-Credential
Notice that when you access the variable $MyCredential, you are able to see
the username but you are unable to see the password. It only displays,
“System.Security.SecureString” on the screen. This is because the password is
now stored as a SecureString.
You can then use this new PSCredential object directly with cmdlets that
support PSCredential objects. You can also individually reference the
username or the password for cmdlets that don’t accept a PSCredential object
but will support username and password parameters.
Alternatively, you can use Read-Host to prompt for input and store the result
in a variable. This includes prompting for a SecureString (for a password).
Notice that the output is very similar to the output of the Get-Credential
variable we used, $MyCredential. It shows the username as, “MyUserName”
and the password as, “System.Security.SecureString.”
This is great for manual runs of scripts as it helps to remove the password from
the script, but it doesn’t really help with our automation. We’re looking for a
solution that will be able to run automatically without having to constantly
supply credentials via Get-Credential/Read-Host or by leaving our passwords
in plain view for anybody to read.
Syntax:
Key Byte[]
–Key
Encryption key as a byte array.
–AsPlainText
AsPlainText
Tells command to treat string as plain text. The string is not encrypted when
using this command. Because of the lack of security, the -Force parameter is
also required.
–Force
Force
Con rms you understand the lack of security when using -AsPlainText
Let’s say, for example, you want to take the text, “P@ssword1” and convert it
to a SecureString. Since this is a plain text string, we’re going to use the –
AsPlainText and –Force
Force parameters.
Syntax
yntax:
String String
–String
SecureKey SecureString
–SecureKey
Encryption key as a SecureString.
Key Byte[]
–Key
Encryption key as a byte array.
Following the same example above, we’ll take the output of the previous
example and pipe it into the ConvertFrom-SecureString command to get an
encrypted standard string.
The result is an encrypted standard string that you can then save for later
retrieval.
Any one of these examples should provide you with a Password.txt le that has
an encrypted standard string the represents the password.
$User = "MyUserName"
$File = "C:\Temp 2\Password.txt"
$MyCredential=New-Object -TypeName
System.Management.Automation.PSCredential `
-ArgumentList $User, (Get-Content $File | ConvertTo-SecureString)
Final Notes
This will not stop anybody who knows what they’re doing from decrypting
your password or from reusing your encrypted password if they ever are able to
compromise your login. The whole point of converting your password to a
SecureString and storing it in a le is to keep it out of plain text in your scripts
so that it’s not as easily discovered. It’s not foolproof, but it’s pretty good.
As mentioned above, when you are not specifying a key or securekey, this will
only work for the same user on the same computer will be able to decrypt the
encrypted string if you’re not using Keys/SecureKeys. Any process that runs
under that same user account will be able to decrypt that encrypted string on
that same machine.
Sign Up For Blog Notifications ×
Get notified when new blogs are posted
Subscribe now
https://www.pdq.com/blog/secure-password-with-powershell-encrypting-credentials-part-1/ 7/11
2/26/2019 Secure Password with PowerShell: Encrypting Credentials - Part 1 - PDQ.com
Subscribe now
If you want to be able to share a credential with multiple machines/logins/etc,
then you’ll need to use Keys/SecureKeys. I’ll save that for another post.
Did you know that PDQ Deploy has a PowerShell step you can use to
deploy your scripts?