As a system Admin, managing automation scripts passwords in PowerShell is a tricky task. There is always risk that someone may find the password by simply taking your code from server or automation tool. To overcome this critical scenarios, in all our automation we have call for stored encrypted password somewhere and referencing it in a script for authentications.
In PowerShell you can store sensitive information on disk is through secure strings. Secure strings are just like they simple strings encrypted through the logged-in user’s certificate. Creating a secure string is very easy and simple by using the ConvertTo-SecureString command from the powershell and it will still reduce the risk by a significant amount depending on the method
Contents
Step 1: Create your encrypted password file.
Method 1: Using your login credential as password.
First you need a standalone .ps1 script to generate your password file with Encryption string. Here we are encrypting your credential as password. The following code will achieve this
#Set and encrypt credentials to file using default ConvertFrom-SecureString method
(get-credential).password | ConvertFrom-SecureString | set-content “C:\D_EMS Drive\Personal\LBLOG\Encrypted_password.txt”
After executing above script, you will get a prompt for the password, then input your credentials that you want to save. In our example an encrypted password file will be saved to โC:\passwords\password.txt”.ย
After executing the above code, ย the prompt window will popup for getting the user name and Password like above, and script will encrypt the same password in the text file as shown below.
Method 2: Encrypt password by input value
Let’s say if you having a password and that need to encrypt by asking as input then the below script will prompt for input via the Read-Host command using the AsSecureString parameter, which will obfuscate your input and return a secure string as shown below.
$securePassword = Read-host -AsSecureString | ConvertFrom-SecureString
$securePassword | Out-File -FilePath “C:\D_EMS Drive\Personal\LBLOG\Encrypted_password.txt”
After execution of the above script, you can able to look at that variable’s value, it’s clear your input is encrypted.ย Then the encrypted password will be save to the text file.
Step 2: Use the Encrypted password in the powershell script to authenticate.
Now, how do we retrieve these credentials? Easy, if we ever need to retrieve these we include the following syntax in our scripts to provide the creds.
Then just pass $credential to whatever cmdlets need a pscredential to authenticate. If we look at whatโs in the $credential variable we can see our username and its encrypted password.
Now you have a password with file name “Encrypted_password” stored securely on disk as encrypted format. At this point, if you need to retrieve it from the file. To do this, you can use Get-Content to read the file and then create a PSCredential object from the secure string.
$username = “SysAdmin”
$password = Get-Content “C:\D_EMS Drive\Personal\LBLOG\Encrypted_password.txt” | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PsCredential($username,$password)
What do you think?
I hope you have an idea ofย How to encrypt and store credentials securely for use with automation scripts with Powershell. I would like to have feedback from my posts readers. Your valuable feedback, question, or comments about this article are always welcome.
I believe the point here is to be able to save powershell scripts where a passwords are not stored in plain text in the script. My understanding is also that you will be able to decrypt the secure passwords but a different user cannot
For future readers looking into this matter, this method is “secure” because the password string can only be “decrypted” from the machine and user that it was created on. Otherwise it is not helpful if the script needs the credentials to be used over multiple users and machines. Here’s another article on the matter: https://4sysops.com/archives/powershell-credentials-how-to-encrypt-a-password/
If I can immediately view the password in plain text with one command, I do not believe that qualifies as secure password storage. Try this: “$credential.GetNetworkCredential().Password”