Store Secured Password in PowerShell Script
Automation is awesome, but what if you need to run a script with elevated privileges? If you are following security best practices then the account you login with most likely doesn’t have the required elevated privileges. Storing your password in plain text in your scripts is no good either. So what do we do? There are several options and each has there place, but I’ll show you my favorite below.
The first thing we need to do is take your password from plain text and convert it to SecureString. This might sound difficult, but PowerShell makes this easy. We use the Read-Host cmdlet with the -AsSecureString switch to accomplish this.
We will be using the password “PowerShellisAwesome” for our Example and yes know it’s not super strong. Once you have the plain text stored in a variable you can see what the SecureString looks like by using ConvertFrom-SecureString. This is the information that we need to copy and use in our automated scripts.
Make sure that if you run the scripts from different computers that you create a new SecureString from each of those computers. A SecureString generated from one machine cannot be used on any other machine
Now we can switch back over to our automated script. We will need to create 3 new variables.
- This will store the username
- This will store our huge password string
- This will store the whole credential.
Here is what it would look like put all together.
#Elevated account name
$UserName = "yourdomain\username"
#Password we generated from Read-Host
$Password = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000862959a992b18048b1b3f9973ceda084000000000200000000001066000000010000200000005c5878082b7f6920ad5816116040b6e6d682b83e5a08a9030f25a9e3526a7281000000000e8000000002000020000000d54d17d6724166100acc2c15de430717984b3e53c8ae3e58e75e4bd257ef52313000000032c9fc963f2b987085b4a77b0c8f2b1180a125ccd2fedf869ff57aa86eb767ecea5d55fcb541178338419dc8b925b9d7400000004d5d40666212b0f5c13303caac80e3dd5973e9f82ca8345c51a9760f77858d95a1259a786625faa97cf1ac292eee9459cddd87446191824ec5d142f6226c3ae0" | ConvertTo-SecureString
#Store all of this in a format that PowerShell can use.
$Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName, $Password
That’s it! You can now call this credential throughout your script whenever elevated privileges are needed. For example…
#Connect to Office 365 with our stored credentials
Connect-MSOLService -Credential $Cred
You can now use this in all your scripts (running on same machine). All you have to do is copy this block from one script to the next.
Just remember that this method of encryption is not going to stop someone from figuring out your password or from reusing it if they were able to login with your other credentials. The thing we are trying to do is make it difficult for 99% of people to reuse your password by not keeping it in plain text. This isn’t a perfect solution, but it’s pretty good for most things.
As always your comments and questions are welcomed. If you like what you’ve read please leave a comment or review and make sure you sign up for our newsletter so you know when the latest blog post arrive.