• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » Storing Passwords for PowerShell Scripts – ALWAYS WORKS!

Storing Passwords for PowerShell Scripts – ALWAYS WORKS!

June 7, 2020 - by Zsolt Agoston - last edited on June 7, 2020

In case you cannot use the CredentialManager PowerShell module to store and retrieve user credentials, but you still need to securely store user passwords or other confidential data there is another way to do so.

1. Securely Encrypt and Store a string

Our task: securely store the password " SuperS3cretPasswd!!!" for the user Admin so it can be used in scripts.

PowerShell can utilize DPAPI (Data Protection application programming interface) to take a secure string, then encrypt and store it in a plain text file in the file system.

ConvertTo-SecureString -String "SuperS3cretPasswd!!!" -Force -AsPlainText | ConvertFrom-SecureString | Set-Content c:\temp\pass.txt

This command will generate pass.txt with the following content:

01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048e7e3749498ba4c9853e9009c2ac55c00000000020000000000106600000001000020000000f6ea725e432d94bc64522a15445f1360af3262bd97b8e20f8ca2117c3a116e81000000000e8000000002000020000000ad6eb30ea722360c84f758b417149550d26550acfa1585dc8ad666390cc9c891300000003a3759bbffbaf86ca5fbb0863366da540a0dc4b75f617af71c8f968bababc7669f892a4eee5eb4441dd67a169b363ab0400000005559cf3b7edcc815bfd6ae14f4b26ab9ca76ee5a8ba0e2c961155af880eac5f165d7d6280a6129c09c323e9a177fde0725d208a80a2e138cd126514ca7bba432

That begs the question: what if someone opens that text file, will they be able to decrypt the password just as easily like we do? The answer fortunately is no. DPAPI uses the actual user credentials from LSA to encrypt and decrypt the text file, so only the user who encrypted it can decrypt it's contents, even if others gain access to the content of the text file.

That doesn't mean however that you should not lock the file down with the appropriate NTFS permissions as an extra security measure, so it should only be readable by you.

2.1 Decrypt our stored String to build a credential object

# Decrypt the password from pass.txt
$SecureStr = $(Get-Content c:\temp\pass.txt | ConvertTo-SecureString)

# Build a credential object using the username and the decrypted password
[PsCredential]$cred = New-Object System.Management.Automation.PSCredential ("Admin", $SecureStr)

# Connect to Office365 using the stored credentials
Connect-ExchangeOnline -Credential $cred

2.2 Recover the original string from pass.txt

If you need the original string recovered from the encrypted text file, use the following formula:

$Original = [System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR($SecureStr))
Storing Passwords for PowerShell Scripts – ALWAYS WORKS!

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • 1. Securely Encrypt and Store a string
  • 2.1 Decrypt our stored String to build a credential object
  • 2.2 Recover the original string from pass.txt

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}