Store Secured Password in PowerShell Script

Store Secured Password in PowerShell Script

Automation is awesome, but what if you need to run a script with elevated privileges?   If you are following security best practices then the account you login with most likely doesn’t have the required elevated privileges.  Storing your password in plain text in your scripts is no good either.  So what do we do?  There are several options and each has there place, but I’ll show you my favorite below.

The first thing we need to do is take your password from plain text and convert it to SecureString.  This might sound difficult, but PowerShell makes this easy.  We use the Read-Host cmdlet with  the -AsSecureString switch to accomplish this.

We will be using the password “PowerShellisAwesome” for our Example and yes know it’s not super strong.  Once you have the plain text stored in a variable you can see what the SecureString looks like by using ConvertFrom-SecureString.  This is the information that we need to copy and use in our automated scripts.

Make sure that if you run the scripts from different computers that you create a new SecureString from each of those computers.  A SecureString generated from one machine cannot be used on any other machine

Read-Host

 

Now we can switch back over to our automated script.  We will need to create 3 new variables.

  1. This will store the username
  2. This will store our huge password string
  3. This will store the whole credential.

 

Here is what it would look like put all together.

That’s it!  You can now call this credential throughout your script whenever elevated privileges are needed.  For example…

You can now use this in all your scripts  (running on same machine).  All you have to do is copy this block from one script to the next.

Final Thoughts

Just remember that this method of encryption is not going to stop someone from figuring out your password or from reusing it if they were able to login with your other credentials.  The thing we are trying to do is make it difficult for 99% of people to reuse your password by not keeping it in plain text.  This isn’t a perfect solution, but it’s pretty good for most things.

 

As always your comments and questions are welcomed.  If you like what you’ve read please leave a comment or review and make sure you sign up for our newsletter so you know when the latest blog post arrive.

 

  • GS

    Why your secure string is much longer then mine when generated from powershell?

    PS C:UsersgsDocuments> ((“PowerShellisAwesome” | ConvertTo-SecureString -Force -AsPlainText) | ConvertFrom-SecureString).Length

    356

  • Matthew Allison

    I’ve written something similar to handle this use case and a few functions to support it for easier use.

    Basically I create a PSCredential object and then store it in a JSON formatted file, allowing for an optional independent encryption key if machine portability is required.

    function Read-PSCredentialFromFile {
    Param(
    [Parameter(Mandatory=$true)]
    [string]$Path,

    [Parameter(Mandatory=$false)]
    [byte[]]$Key
    )

    $json = (Get-Content -Path $Path) -join “`n” | ConvertFrom-Json
    $UserName =$json.UserName

    if ($key) {
    $Password = [string]$json.Password | ConvertTo-SecureString -Key $Key
    } Else {
    $Password = [string]$json.Password | ConvertTo-SecureString
    }

    $credential = Create-PSCredential -UserName $UserName -Password $Password

    return $credential

    }

    function Write-PSCredentialToFile {
    Param(
    [Parameter(Mandatory=$true)]
    [PSCredential]$Credential,
    [Parameter(Mandatory=$true)]
    [string]$Path,

    [Parameter(Mandatory=$false)]
    [byte[]]$Key
    )

    $contents = @{}
    if ($key) {
    $bytes = ConvertFrom-SecureString $Credential.Password -Key $Key
    } Else {
    $bytes = ConvertFrom-SecureString $Credential.Password
    }

    $contents.Add(“UserName”,$Credential.UserName)
    $contents.Add(“Password”,$bytes)

    $contents | ConvertTo-Json | Out-File $Path
    }