Posted by A nightmare for many security auditors are the plain tekst Passwords in PowerShell scripts. Offcourse this is not nessecary, we can encrypt this in local files.
But there is a difference how to encrypt passwords. Tou can encrypt it with your “user account key” or system wide with a “MachineKeyStore”.
The second one (machine key) is handy when you need to run scheduled PowerShell scripts under different user accounts.
Save plain text password with Machine Key encryption using PowerShell.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
<# .DESCRIPTION Creating a credential file with machine key encryption. .NOTES Version: 1.0 Author: https://www.robvit.com Creation Date: 17-8-2019 Purpose/Change: Initial script development .EXAMPLE $username = "robvit" $keystorename = "storeRobvit" $key = (2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,8,5,35,43,6,6,7,6,6,6,31,33,60,23) GetSecureSystemCredentials -key $key -Keystorename $keystorename -username $username -credpath "c:\cred_$($username).xml" #> function GetSecureSystemCredentials { Param( $key, [string]$Keystorename, [string]$Credpath, [string]$UserName ) $csp = New-Object System.Security.Cryptography.CspParameters $csp.KeyContainerName = $keystorename $csp.Flags = $csp.Flags -bor [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore $rsa = New-Object System.Security.Cryptography.RSACryptoServiceProvider -ArgumentList 5120,$csp $rsa.PersistKeyInCsp = $true if(!(Test-Path $credpath)) {Write-host "No Credentials Saved Yet. " $pass = Read-Host -AsSecureString -prompt "Enter a Password:" $securepass = $pass |ConvertFrom-SecureString -Key $key $bytes = [byte[]][char[]]$securepass $encrypted = $rsa.Encrypt($bytes,$true) $encrypted | Export-Clixml $Credpath $password = [char[]]$rsa.Decrypt($encrypted, $true) -join "" |ConvertTo-SecureString -Key $key $cred = New-Object System.Management.Automation.PsCredential $Username,$password } Else { $encrypted = Import-Clixml $Credpath $password = [char[]]$rsa.Decrypt($encrypted, $true) -join "" |ConvertTo-SecureString -Key $key $cred = New-Object System.Management.Automation.PsCredential $Username,$password } $cred } $username = "robvit" $keystorename = "storeRobvit" $key = (2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,8,5,35,43,6,6,7,6,6,6,31,33,60,23) $cred = GetSecureSystemCredentials -key $key -Keystorename $keystorename -username $username -credpath "c:\cred_$($username).xml" $cred |
Save plain text password with User Key encryption using PowerShell.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
<# .DESCRIPTION Creating a secure credential file with user key encryption. .NOTES Version: 1.0 Author: https://www.robvit.com Creation Date: 17-8-2019 Purpose/Change: Initial script development .EXAMPLE $username = "robvit" $keystorename = "storeRobvit" $key = (2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,8,5,35,43,6,6,7,6,6,6,31,33,60,23) GetSecureSystemCredentials -key $key -Keystorename $keystorename -username $username -credpath "c:\cred_$($username).xml" #> function GetEncryptedUserKeyPassword { Param ( [string]$Username, [string]$Credpath ) if(!(Test-Path $credpath)) { Get-Credential -UserName $Username -Message "Enter the credentials for Username $($Username)" | Export-CliXml $credpath } $cred = import-clixml -path $credpath $cred } $Username = "robvit" $credpath = "$env:USERPROFILE\Cred_$($Username).xml" $cred = GetEncryptedUserKeyPassword -Username $username -Credpath $credpath $cred |