Encrypting Passwords in PowerShell (Part 2)

Tobias — Mon, 25 Oct 2010 09:16:00 GMT

In Part 1, you learned how to "obfuscate" passwords in your scripts. Obfuscation is not secure because at the end of the day, the user could still retrieve the password. Obfuscation is just a technique to make it harder to obtain the password. So let's examine some ways to increase security.

Hiding the Secret

The only safe way to hard-code passwords in scripts is to encrypt them with a secret that is not shared in the same script. One such secret would be your access token (your identity). This technique is useful when you want to hard-code a password in your script and you (and only you) are using that script. Let's say you have to log on to some servers regularly or want to automate some personal tasks. Then you could encrypt your password with your access token. Whenever you launch the script, the password can be unencrypted. If someone else snoops through your hard drive and finds your script, or if you store it on a USB drive and lose it, no one else can ever get to your hard coded password.

Using Your Identity as Secret

Actually, you can almost use the script presented in Part 1. All you do is remove the lines dealing with a separate encryption key. If you do not use an encryption key, PowerShell uses your identity as secret instead:

# Path to the script to be created:
$path = 'c:\scripts\template.ps1'

# Create empty template script:
New-Item -ItemType File $path -Force -ErrorAction SilentlyContinue | Out-Null

$pwd = Read-Host 'Enter Password' -AsSecureString
$user = Read-Host 'Enter Username'
$pwdencrypted = $pwd | ConvertFrom-SecureString

$private:ofs = ' '
('$password = "{0}"' -f $pwdencrypted) | Out-File $path
'$passwordSecure = ConvertTo-SecureString -String $password' |
Out-File $path -Append
('$cred = New-Object system.Management.Automation.PSCredential("{0}", $passwordSecure)' -f $user) |
Out-File $path -Append
'$cred' | Out-File $path -Append

ise $path

You can download this script here: http://powershell.com/cs/media/p/7981.aspx

Creating a Safe Password Script

Run the script. It will ask you for the password you want to encrypt and the user name. Then, it autogenerates the script for you and opens it in ISE.

Once you run the autogenerated script, you get back a valid credential object that you can use to authenticate against WMI or start processes with. Since the secret key is now your identity, no secret key is stored within the script. Instead, when someone else runs your script the decryption process will fail, and the password is safe.

Exporting and Importing Credentials

On a related page, you can also export credentials to an xml file and import them later. This approach uses the very same technique. Here is how: http://powershell.com/cs/blogs/tips/archive/2009/12/08/exporting-and-importing-credentials.aspx

Of course, the approach described today only works when the person encrypting the password is the same person using that password later on. If you need to create a script that is run by someone else, you need to use the unsafe approach outlined in Part 1 of this series - or you'd have to wait for Part 3 where I present some additional cool ways of encrypting passwords.

Tobias

Microsoft MVP PowerShell Germany

P.S.
If you live in Germany or other parts of Europe and your company would like to set up a truly great PowerShell training, just contact me! I regularly train mid- to large-size companies. Trainings are always a blast with tons of real-world-examples and solutions. Here's how to get in touch with me: tobias.weltner@scriptinternals.de

Dreaming in PowerShell : Credential, Access Token

Encrypting Passwords in PowerShell (Part 2)

Hiding the Secret

Using Your Identity as Secret

Creating a Safe Password Script

Exporting and Importing Credentials