No module Published on Offcanvas position

Encrypt Passwords in your powershell scripts

Category: Powershell

When I first started using powershell and made them do stuff on a remote computer or when a certain command required to be passed credentials, I, like every beginner, just put the password in plain text in the script.
Over time, I've come to realize this isn't the safest option and especially when your users have to run the script and they just happen to know how to open your script in notepad.

Therefore I've learned to encrypt the passwords and store them in a file where no user should ever be.

The process the encrypt your passwords is simple if you follow these steps:

This method creates a encrypted file that can only be used by the account that created it and the computer that it was created on

  1. Open up a Powershell prompt
  2. Type in the following command: (get-credential).password | ConvertFrom-SecureString | Set-Content "password file"
    When the popup appears to enter credentials, just randomly mash your keyboard in the User Name field. It doesn't matter what you enter there, that value will not be converted.
    If you open the file in Notepad you'll notice it looks like your cat walked over your keyboard while you were in the bathroom. This is in fact your encrypted password.
    encryptpass3. Add the following lines to your script to start using it
    $username = "username"
    $encrypted = Get-Content "password file" | ConvertTo-SecureString
    $muhcredentialz = New-Object System.Management.Automation.PsCredential($emailusername, $encrypted)

 

This method creates a encrypted file that you can use everywhere

  1. Open up a Powershell prompt
  2. Enter the following lines one by one. An alternative would be to save the entire thing as a .ps1 file and run it

    $credential = Get-Credential
    $passwordsecure = $credential.Password

    $AESkeypath = <path to key file>
    $credentialfilepath = <path to password file>
    $AESkey = New-Object Byte[] 32
    [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESkey)

    Set-Content $AESkeypath $AESkey
    $password = $passwordsecure | ConvertFrom-SecureString -Key $AESkey
    Add-Content $credentialfilepath $password
    This creates two files, an AES key to decrypt the password and the password encrypted.

  3. To use the two files, add the following lines to your script
    $admin = <userlogin name/email whatever>
    $key = Get-Content "<path to keyfile>"
    $passcode = Get-Content "<path to password file>"
    $encrypted = $passcode | ConvertTo-SecureString -Key $key
    $credentials = New-Object System.Management.Automation.PsCredential($admin, $encrypted)
  4. Now you can use the $credentials variable to pass through credentals to all kinds of services like Microsoft 365 for example.

With this method you have less to worry about when moving the script to a new server or if the user that created the files gets replaced or removed.

For extra security you could put the file on a hidden network share and give only access to the people that need to run the script that calls for the specific password file.