![]() For this, we can use below commands: $Key = New-Object Byte 16 # You can use 16, 24, or 32 for AES We can also generate and secure AES key in a secure file. ![]() Now that you know how to use an AES key to make SecureStrings created by different user accounts and workstations, you have to protect that key as best as you can since anybody who has that AES key can now decrypt the data protected. Get-Content "C:\Users\itg-admin\Desktop\Password.txt"|ĬonvertTo-SecureString -Key $key Reading encrypted output on another machine We can export this file to another machine and then read password using below command: ] $key = (1.16) You can instantly notice that this output is more randomized which means more secure. If we fetch the content of this file, it should be like this: Encrypted output after using AES algorithm to encrypt password $password | ConvertFrom-SecureString -Key $key | Out-File "C:\temp\Password.txt" $password = | ConvertTo-SecureString -AsPlainText -Force So improving on our example, while storing password, we should below commands: ] $key = (1.16) This allows a output which can be read on different machines. We need to use this cmdlet with -Key and -SecureKey parameters to force it to use Advanced Encryption Standard enryption algorithm. This is because, by default, convertfrom-securestring cmdlet uses windows data protection api to encrypt/decrypt strings. So, if you transfer the file containing encrypted output to a different machine, or try to read it under a different user account, you will get an error like this: Error while reading encrypted output from another machine Or any process running under the same user account for that matter. Note that this is not a foolproof method of securing password, but its thousand times better than storing passwords as plain text.Īlso this encrypted output can be read only by same user account running on the same machine. ArgumentList $username, (Get-Content $passwordFile | ConvertTo-SecureString) We can also form a credential object like below: $username = "itg-admin" When you need to use this encrypted password, you can simply reverse the process by importing the data from password.txt file and use ConvertTo-SecureString cmdlet: $password = Get-Content "C:\temp\Password.txt" | ConvertTo-SecureString Now even if anyone has access to the output, he/she will not be able to read the password. We can now just pipe this output to a file using out-file cmdlet or alternatively store this as variable. You should see output something like this: Encrypted output from convertfrom-securestring cmdlet You can do this with ConvertFrom-SecureString: |ĬonvertTo-SecureString -AsPlainText -Force | You have to convert this SecureString object to an encrypted standard string. Unfortunately, you cannot directly save a SecureString object to a file for later use. Force is also required with this parameter. The string is not encrypted when using this command. Parameter -AsPlainText tells command to treat string as plain text. You can use the command directly or pipe results into the command: $password = ConvertTo-SecureString $password -AsPlainText | ConvertTo-SecureString $password -AsPlainText -Force The SecureString object can then be used with cmdlets that support parameters of type SecureString, as is the case with a PSCredential object. ![]() We can use ConvertTo-SecureString cmdlet to convert a plain string into securestring object. And majority of the scripts are of latter kind. This is great for interactive scripts but not for scenarios where script needs to run without user interaction. Then you can form a $PSCredential object by using this command: $creds = New-Object -TypeName ` $password = Read-Host "Enter Password" -AsSecureString You can also fetch username and password using $ername and $creds.password respectively.Īlternatively, you can ask user to submit credentials at run time by using Read-Host cmdlet: $username = Read-Host "Enter Username" You can then use this $creds variable for cmdlets that accepts the $PSCredential object. Notice that the output only displays “” on the screen as it is stored in secure string format. This will pop-up a windows box, allowing you to type the credentials. We can get user credential by using cmdlet Get-Credential and storing them inside a variable : $creds = Get-Credential Writing them in clear text inside script defies the overall purpose. After all, passwords are safe only if they are kept secret. You can put direct password in plain text inside script but this is not a best practice or recommended one. However most of the time, while doing certain tasks, you need to use a different set of credentials then the current logged on user.
0 Comments
Leave a Reply. |