Wednesday, June 29, 2011

Securing passwords in PowerShell

It is sometimes necessary to use plaintext passwords in PowerShell scripts, but obviously not a good idea to have those passwords stored in cleartext on disk. The solution is to use the PowerShell ConvertTo-SecureString and ConvertFrom-SecureString cmdlets to encrypt the password, save it to a file, and then decrypt it in memory when required. I ported this function to PowerShell for properly converting the SecureString to a string.

The code below uses the default encryption method, which is specific to the logged in user (or, more precisely, the user that is running the code). Note that, for machines that have joined a domain, a domain administrator can decrypt your data by resetting your password. No other users can decrypt your data.

Encrypt password and save to a file

$secureStringPassword = Read-Host "Enter the password" -AsSecureString
$encryptedPassword = ConvertFrom-SecureString $secureStringPassword
Set-Content -Path Password.bin -Value $encryptedPassword

Load and decrypt the password in memory

function ConvertToUnsecureString(
    [System.Security.SecureString][parameter(mandatory=$true)]$SecurePassword)
{
    $unmanagedString = [System.IntPtr]::Zero;
    try
    {
        $unmanagedString = [Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode($SecurePassword)
        return [Runtime.InteropServices.Marshal]::PtrToStringUni($unmanagedString)
    }
    finally
    {
        [Runtime.InteropServices.Marshal]::ZeroFreeGlobalAllocUnicode($unmanagedString)
    }
}

$encryptedPassword = Get-Content -Path Password.bin
$secureStringPassword = ConvertTo-SecureString -String $encryptedPassword
$password = ConvertToUnsecureString $secureStringPassword 

0 comments:

Post a Comment