Post

Dealing with Passwords in PowerShell

Posted Updated
Preview Image
By Nativ Weiss
5 min read
Dealing with Passwords in PowerShell

Dealing with passwords in PowerShell

Managing passwords in PowerShell can be challenging. Automating scripts without interrupting processes for credentials is a key goal. At the same time, it is crucial to prioritize security by avoiding plain-text passwords. While embedding passwords in scripts may be acceptable during testing, it poses serious risks in production, such as exposing sensitive information if the script is shared or accessed by unauthorized individuals. To balance automation and security, it is essential to implement secure methods for handling passwords in PowerShell.

This post explores some of the methods PowerShell provides for secure password management.

Method 1: Importing password from an external file

Step 1: Storing the password to a file

1
2
3
4
5

# Convert a plaintext password to a secure string
$SecurePassword = "YourPasswordHere"

# Export the password to a file
$SecurePassword | Out-File C:\Temp\Passwords.txt

This step stores the password as plain text in the Passwords.txt file, which can be opened by any text editor (e.g., Notepad). This is not secure and should be avoided in production. Instead, consider using PowerShell’s built-in encryption methods, such as converting passwords to a secure string or encrypting them with a key file, to enhance security.

Step 2: Reading the stored password

1
2
3
4
5

# Read the password from the external file
$password = Get-Content C:\temp\Passwords.txt
$password

YourPasswordHere

This option solves the issue of having the password in the script itself. However, this is still not secured enough as everyone may have an access to the file to see your password.

Method 2: Use a Key File to encrypt and decrypt the password

Using a key file enables you to encrypt and store the password as an unreadable string. Securing the key file is critical; if someone gains access to it, they can decrypt your password. To mitigate this risk, ensure the key file is stored in a location with restricted access and implement additional safeguards, such as file encryption or access control measures.

By using a key file, PowerShell will leverage the Advanced Encryption Standard (AES) encryption algorithm. The specified key must have a length of 16 bytes (128 bits), 24 bytes (192 bits), or 32 bytes (256 bits).

Step 1: Create the key file to encrypt and store the password

1
2
3
4
5
6
7
8
9
10
11
12
13

# Define file paths
$keyFile = "C:\temp\KeyFile.key"
$passwordFile = "C:\temp\Passwords.txt"

# Generate a random AES key (16, 24, or 32 bytes) and save it
$keySize = 32  # Change to 16, 24, or 32 as needed for AES key size
$key = (New-Object Byte[] $keySize)
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($key)
$key | Out-File $keyFile

# Encrypt the supplied password and save it
$password = "YourPasswordHere" | ConvertTo-SecureString -AsPlainText -Force
$password | ConvertFrom-SecureString -Key $key | Out-File $passwordFile

Now, if we’ll open the password file in a text editor, we will see a line similar to this:

1

76492d1116743f0423413b16050a5345MgB8AHkAWgBzAE4ANQBWAGoAOQAzAFkAegBLAFYAawBZAGsAWgBVAE4AVQBJAHcAPQA9AHwAMAAwADgANgBkADUANAA0ADcAMAAyAGQAYgBkAGQANwA0ADIANgAxAGIAMABjADAAYgBlADcAZABjADIAOQBhAGYAZgA5AGMAZQA2ADcANgAzADAANwBiADcAMQA1ADYANwA2AGQANQA1ADgAMgBmAGYAMQA4ADQAMwA3ADYAYgA4ADYAZgA1ADEAMQA1ADYAYQA5AGIAOABkADUAYwA5ADYAMABmAGQAMAA5ADkAOAAxADEANwBiADcAOAA3ADAA

Step 2: Decrypt the password using the key file

1
2
3
4
5
6
7
8
9
10
11
12

# Define the file paths
$encryptedPassword = Get-Content "C:\temp\Passwords.txt"
$keyFile = Get-Content "C:\temp\KeyFile.key"

# Decrypt the password by using the keyfile
$password = $encryptedPassword | ConvertTo-SecureString -Key $keyFile

# Convert the password from Secure String to plain text
$decryptedPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
$decryptedPassword

YourPasswordHere

Note: If the key file is lost or compromised, you will be unable to decrypt the password, and anyone with the key can access your password.

Method 3: Encrypt the password as Secured String

This method uses Windows’ Data Protection API (DPAPI), which ties the encryption to the current user profile and machine. This ensures that only the original user on the specific machine can decrypt the data, enhancing security by preventing access from unauthorized users or other systems. This means the password can only be decrypted by the same user on the same machine.

To encrypt the password we’ll use a code similar to this:

1
2
3
4
5

# Convert a plaintext password to a secure string
$SecurePassword = ConvertTo-SecureString "YourPasswordHere" -AsPlainText -Force

# Store the SecurePassword in the external file
ConvertFrom-SecureString $SecurePassword | Out-File "C:\temp\Passwords.txt"

Now, if we’ll open the file in a text editor, we’ll see that it contains a very long string similar to this (here I just took a portion of this very long string. Your string will be of course different because it would be created on your personal machine, and encrypted with your personal key):

1

406c7f3d94afe0f6b430fd3a7ab4f099ee16f22edfc2f5e5682a3a534610e73e36194e63140000000ec5054726eb90e4981

If we want to decrypt this password, we can use a similar code to this:

1
2
3
4
5
6
7

$encryptedPassword = Get-Content "C:\temp\Passwords.txt"
$password = ConvertTo-SecureString $encryptedPassword

$decryptedPassword2 = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
$decryptedPassword2

YourPasswordHere

Note: This method is highly secure as the encrypted password cannot be decrypted on another machine or by a different user. For this to work, we need to have an access to the same machine and same user profile that used to encrypt the password.

Conclusion

Handling passwords in PowerShell requires a balance between automation and security. While external files and key files offer portability, they must be secured appropriately to prevent unauthorized access. For most cases, using the built-in Data Protection API is recommended as it provides strong encryption tied to the user profile and machine. This approach ensures that even if encrypted data is accessed by an unauthorized user or transferred to another machine, decryption remains impossible without the original user profile and environment, making it significantly more secure for sensitive operations.

Always ensure that sensitive files, such as key files or password files, are stored securely and have restricted access. Consider additional measures like disk encryption or access controls to enhance security further.

PowerShell, Security, Passwords, Automation
powershell security encryption password automation
This post is licensed under CC BY 4.0 by the author.