Storing Passwords for PowerShell Scripts – ALWAYS WORKS!

In case you cannot use the CredentialManager PowerShell module to store and retrieve user credentials, but you still need to securely store user passwords or other confidential data there is another way to do so.

1. Securely Encrypt and Store a string

Our task: securely store the password " SuperS3cretPasswd!!!" for the user Admin so it can be used in scripts.

PowerShell can utilize DPAPI (Data Protection application programming interface) to take a secure string, then encrypt and store it in a plain text file in the file system.

ConvertTo-SecureString -String "SuperS3cretPasswd!!!" -Force -AsPlainText | ConvertFrom-SecureString | Set-Content c:\temp\pass.txt

That begs the question: what if someone opens that text file, will they be able to decrypt the password just as easily like we do? The answer fortunately is no. DPAPI uses the actual user credentials from LSA to encrypt and decrypt the text file, so only the user who encrypted it can decrypt it's contents, even if others gain access to the content of the text file.

That doesn't mean however that you should not lock the file down with the appropriate NTFS permissions as an extra security measure, so it should only be readable by you.

2.1 Decrypt our stored String to build a credential object

# Decrypt the password from pass.txt
$SecureStr = $(Get-Content c:\temp\pass.txt | ConvertTo-SecureString)

# Build a credential object using the username and the decrypted password
[PsCredential]$cred = New-Object System.Management.Automation.PSCredential ("Admin", $SecureStr)

# Connect to Office365 using the stored credentials
Connect-ExchangeOnline -Credential $cred

2.2 Recover the original string from pass.txt

If you need the original string recovered from the encrypted text file, use the following formula:

$Original = [System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR($SecureStr))