Secure Password (Credentials) Encryption in PowerShell Scripts

Administrators usually must retailer passwords in automation situation instantly in the physique of PowerShell scripts. As you already know, this can be very insecure when used in a productive surroundings, since different server customers or directors can see the password in clear textual content. So it’s higher to make use of a safer means to make use of passwords in PowerShell scripts, or to encrypt passwords if interactive enter can’t be used.

It is protected to immediate a person to enter password in the script interactively utilizing the Get-Credential cmdlet. For instance, let’s immediate a person for the username and password and save them in the PSCredential object:

$Cred = Get-Credential

When addressing the properties of the PSCredential variable, you could find the desired person title.


However, when making an attempt to show the person password, the next textual content will likely be returned: System.Security.SecureString, because the password is saved as SecureString.



The PSCredential object now we have saved in the $Cred variable can be utilized in cmdlets that help the sort of objects.

The $Cred.Username and $Cred.Password parameters can be utilized in cmdlets that don’t help PSCredential objects, however require enter of person credentials.

You may also use Read-Host cmdlet with the AsSecureString attribute to immediate a person to enter the password.
$go = Read-Host "Enter your password" –AsSecureString

get password AsSecureString in powershell script with read-host

In this case you received’t have the ability to view the contents of $go variable, in which the password is saved.

In the methods of utilizing password in PowerShell scripts thought of above, an interactive password enter has been used when operating the script. However, these strategies will not be relevant for eventualities run routinely or utilizing the Task Scheduler.

In this case, it’s extra handy to encrypt the account credentials (title and password) and save them to an encrypted textual content file on the disk or use instantly in the script.

Thus, utilizing ConvertFrom-SecureString cmdlet you’ll be able to convert a password from SecureString format to an encrypted string (it’s encrypted utilizing Windows Data Protection API — DPAPI). You can show the encrypted password on the display or reserve it to a file:

$Cred.Password| ConvertFrom-SecureString | Set-Content c:pspasswordfile.txt


To use the encrypted password from the file, you need to convert it again to the SecureString format utilizing the ConvertTo-SecureString cmdlet:

$username = 'corpadmin'
$go = Get-Content c:pspasswordfile.txt | ConvertTo-SecureString
$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $go


This means you bought a PSCredential object with person credentials in the $creds variable.

However, should you try to copy the passwordfile.txt to a different laptop or use for one more person (not for the one who created the password), you will note that $creds.password variable is empty and doesn’t comprise a password. The matter is that DPAPI encryption makes use of the personal keys saved in the person profile. You received’t have the ability to decrypt the password file with out key.

ConvertTo-SecureString : Key not legitimate to be used in specified state.
"Cannot course of argument as a result of the worth of argument "password" is null. Change the worth of argument "password" to a non-null worth."

ConvertTo-SecureString : Key not valid for use in specified state

If the script (service) account or on one other laptop, you’ll have to use one other encryption methodology completely different from DPAPI. You can specify the exterior encryption key utilizing –Key or –SecureKey parameters.

For instance, you’ll be able to generate a 256-bit AES key in PowerShell and use it to decrypt the file. Save this key to the textual content file password_aes.key.

$AESKey = New-Object Byte[] 32
$AESKey | out-file C:pspassword_aes.key


Now it can save you your password to the file utilizing this key:

$Cred.Password| ConvertFrom-SecureString -Key (get-content C:pspassword_aes.key)| Set-Content c:pspasswordfile.txt

encrypt a password with the 256-bit AES key

Don’t overlook that should you specify a website account in your PowerShell script and your area has a daily , you’ll have to replace this file after every password change (you’ll be able to create a separate password coverage for the particular accounts utilizing ).

So, you’ve got two information: a file containing the encrypted password (passwordfile.txt) and one other one with the encryption key (password_aes.key).

You can switch them to a different laptop and attempt to get the password from the file (you’ll be able to retailer the file with the important thing in your shared community folder).

$go = Get-Content c:pspasswordfile.txt | ConvertTo-SecureString -Key (get-content srv1Sharedpassword_aes.key)

get securestring from password file with aes key

If you don’t wish to take the difficulty of a separate file with the AES key, you’ll be able to combine the encryption key instantly into the script. Then use the next as an alternative of the important thing in each instances:

[Byte[]] $key = (1..16)
$Cred.Password| ConvertFrom-SecureString –Key $key| Set-Content c:pspasswordfile.txt

For decryption:

[Byte[]] $key = (1..16)
$go = Get-Content c:pspasswordfile.txt | ConvertTo-SecureString -Key $key

encrypt password file with generated private key

As you’ll be able to see, the password will not be empty, so it has been efficiently decrypted and could also be used on different computer systems.

Tip. You should limit entry to the file containing the AES key in order that solely the person or the account underneath which the script is operating can entry it. Double-check NTFS permissions on the password_aes.key after saving it in your shared folder.

Finally, right here is essentially the most uncomfortable factor. It could be very simple to get a password from a PSCredential object in the clear textual content:


You may also do it for SecureString:

$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($go)

powershell: getting plain text password from a securestring

As you see, that is the explanation why you need to not save passwords of privileged accounts, like Domain Admins, anyplace however on the DCs.

Check Also

How to Use Native SSH Client in Windows 10?

The built-in SSH shopper appeared in Windows 10 and Windows Server 2019. Ssh.exe can be …

Leave a Reply

Your email address will not be published. Required fields are marked *