Using secure passwords in your Powershell scripts

  • Generate a secure string
  • Convert it to an encrypted string
  • Create and set a PSCredential object

System administrators often need to deal with credentials, an IT infrastructure is about security, that’s one of the root reasons for any enterprise to have it implemented. Powershell has a great way to easily secure your passwords, then you can deploy scripts using whatever credential you need without violating your company security principals.

  • Generate a secure string

The first thing we must have in mind, is that we don’t want to pass our password as plain text, ever!

So how we’ll specify it? 

Using -AsSecureString parameter from read-host cmdlet, and storing it into a variable:

$Password = read-host -AsSecureString

  • Convert it to an encrypted string

For re-use this secure string that we’ve just created, we need to save it in a file (like a .txt), but first we must to convert it from secure-string to an encrypted standard string using the Convert-FromSecureString cmdlet, this way we’ll be able to get this encrypted string in the .txt file and convert it back to the same secure-string we’ve specified.

We also need to set an encryption key, this way the (AES) Advanced Encryption Standard encryption algorithm will be used, the encryption key must have a length of 128, 192 or 256 bits.

We can set our key length using byte reference

#16 bytes = 128 bits
#24 bytes = 192 bits
#32 bytes = 256 bits

#Use 128 bits key length
$Key = (1..16)

$Password = read-host -AsSecureString |
ConvertFrom-SecureString -Key $key  |

#Save the encrypted password in C:\EncryptedPass.txt
Set-Content -Path c:\EncryptedPass.txt

#Use Invoke-Item (ii) to open the .txt to see the result content
ii c:\EncryptedPass.txt

  • Create and set a PSCredential object

Since we have already created our encrypted pass, the script above is no longer necessary, the next script will get the EncryptedPass.txt value to convert it back to a System.Security.String object using the ConvertTo-SecureString cmdlet, just don’t forget to match the AES key length used to generate the encrypted pass before!

  • Match the AES key length with the key used to generate the encrypted pass.
  • Store domain user in $User variable.
  • Store the secure string in $Password variable.
  • Create a PSCredential object passing the $user and $password arguments, and store it in $Cred variable.
$Key = (1..16)
$User = "$env:USERDOMAIN\Administrator"
$Password = Get-Content c:\EncryptedPass.txt | ConvertTo-SecureString -Key $Key
$Cred = New-Object -TypeName pscredential -ArgumentList (($User),($Password))

#Usage example
Start-Process -FilePath c:\file.exe -Credential $cred

$env:USERDOMAIN is an environment variable that contains the domain name which the computer is registered.

Take a look at the PSCredential object which is stored in $cred variable.

  • Conclusion

There are several cmdlets that contains the -Credential parameter, now you can securely specify either your own credentials or another credential to leverage the process in your scripts. I hope this was helpful for you.

You can see more articles like this in my PowerTips section.

If you like this post, please be sure to share it with your mates. 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s