Administrators usually must retailer passwords in automation situation instantly in the physique of PowerShell scripts. As you already know, this can be very insecure when used in a productive surroundings, since different server customers or directors can see the password in clear textual content. So it’s higher to make use of a safer means to make use of passwords in PowerShell scripts, or to encrypt passwords if interactive enter can’t be used.
It is protected to immediate a person to enter password in the script interactively utilizing the Get-Credential cmdlet. For instance, let’s immediate a person for the username and password and save them in the PSCredential object:
$Cred = Get-Credential
When addressing the properties of the PSCredential variable, you could find the desired person title.
However, when making an attempt to show the person password, the next textual content will likely be returned: System.Security.SecureString, because the password is saved as SecureString.
The PSCredential object now we have saved in the $Cred variable can be utilized in cmdlets that help the sort of objects.
The $Cred.Username and $Cred.Password parameters can be utilized in cmdlets that don’t help PSCredential objects, however require enter of person credentials.
You may also use Read-Host cmdlet with the AsSecureString attribute to immediate a person to enter the password.
$go = Read-Host "Enter your password" –AsSecureString
In this case you received’t have the ability to view the contents of $go variable, in which the password is saved.
In the methods of utilizing password in PowerShell scripts thought of above, an interactive password enter has been used when operating the script. However, these strategies will not be relevant for eventualities run routinely or utilizing the Task Scheduler.
In this case, it’s extra handy to encrypt the account credentials (title and password) and save them to an encrypted textual content file on the disk or use instantly in the script.
Thus, utilizing ConvertFrom-SecureString cmdlet you’ll be able to convert a password from SecureString format to an encrypted string (it’s encrypted utilizing Windows Data Protection API — DPAPI). You can show the encrypted password on the display or reserve it to a file:
$Cred.Password| ConvertFrom-SecureString | Set-Content c:pspasswordfile.txt
To use the encrypted password from the file, you need to convert it again to the SecureString format utilizing the ConvertTo-SecureString cmdlet:
$username = 'corpadmin'
$go = Get-Content c:pspasswordfile.txt | ConvertTo-SecureString
$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $go
This means you bought a PSCredential object with person credentials in the $creds variable.
However, should you try to copy the passwordfile.txt to a different laptop or use for one more person (not for the one who created the password), you will note that
$creds.password variable is empty and doesn’t comprise a password. The matter is that DPAPI encryption makes use of the personal keys saved in the person profile. You received’t have the ability to decrypt the password file with out key.
ConvertTo-SecureString : Key not legitimate to be used in specified state. "Cannot course of argument as a result of the worth of argument "password" is null. Change the worth of argument "password" to a non-null worth."
If the script (service) account or on one other laptop, you’ll have to use one other encryption methodology completely different from DPAPI. You can specify the exterior encryption key utilizing –Key or –SecureKey parameters.
For instance, you’ll be able to generate a 256-bit AES key in PowerShell and use it to decrypt the file. Save this key to the textual content file password_aes.key.
$AESKey = New-Object Byte 32
$AESKey | out-file C:pspassword_aes.key
Now it can save you your password to the file utilizing this key:
$Cred.Password| ConvertFrom-SecureString -Key (get-content C:pspassword_aes.key)| Set-Content c:pspasswordfile.txt
So, you’ve got two information: a file containing the encrypted password (passwordfile.txt) and one other one with the encryption key (password_aes.key).
You can switch them to a different laptop and attempt to get the password from the file (you’ll be able to retailer the file with the important thing in your shared community folder).
$go = Get-Content c:pspasswordfile.txt | ConvertTo-SecureString -Key (get-content srv1Sharedpassword_aes.key)
If you don’t wish to take the difficulty of a separate file with the AES key, you’ll be able to combine the encryption key instantly into the script. Then use the next as an alternative of the important thing in each instances:
[Byte] $key = (1..16)
$Cred.Password| ConvertFrom-SecureString –Key $key| Set-Content c:pspasswordfile.txt
[Byte] $key = (1..16)
$go = Get-Content c:pspasswordfile.txt | ConvertTo-SecureString -Key $key
As you’ll be able to see, the password will not be empty, so it has been efficiently decrypted and could also be used on different computer systems.
Tip. You should limit entry to the file containing the AES key in order that solely the person or the account underneath which the script is operating can entry it. Double-check NTFS permissions on the password_aes.key after saving it in your shared folder.
Finally, right here is essentially the most uncomfortable factor. It could be very simple to get a password from a PSCredential object in the clear textual content:
You may also do it for SecureString:
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($go)
As you see, that is the explanation why you need to not save passwords of privileged accounts, like Domain Admins, anyplace however on the DCs.