Encrypt a Password with PowerShell for use by a Different User and/or on a Different Computer

Storing a password in an encrypted file for use by the same user on the same computer using PowerShell is fairly easy, but storing a password in an encrypted file for use on another computer or by another user is a bit more challenging. It requires the use of a key file and of course if someone else can read the key file, then they also can decrypt the password.

In my scenario, I work in a VDI (Virtual Desktop Infrastructure) environment that doesn’t use persistent desktops and I need to have a certificate available to decrypt emails from certain individuals. The certificate is password protected and does not exist in the certificate store each time I logon.

I’ll start out by defining a few things such as the files and my super secure password that will be used throughout this blog article:

Don’t make things too easy for someone trying to find your key file. Notice that the file for mine uses a naming convention that appears to be a registry key backup and the encrypted password has a file name that appears to be a license key. Also consider setting NTFS permissions on these files so only the necessary users and/or computers have access to them.

Create a 256 bit AES key that’s an array of thirty-two 8 bit unsigned integers. This will be used as the encryption key:

Encrypt the password with the previously generated key and store it in a file:

Now for the command I want to run when I login to my VDI computer that imports the certificate:

The problem is that as soon as someone looks at the file I plan to save that command in, they will know exactly how to decrypt the password. I’ll obfuscate the command to at least make it a little more difficult for them.

The results will definitely keep what I’m doing more secure than plain text.

Now I just need to add the following command to a bat or cmd file that’s in the startup for my user on my VDI computer and I’ll be all set:

If you know of a better way to shared a saved password within PowerShell between different users and/or computers, please share via a comment to this blog article.

I recently wrote a blog article on “Simple Obfuscation with PowerShell using Base64 Encoding” that you might also find interesting.

µ

2 Comments

  1. Thomas Malkewitz

    I use Dave Wyatt’s ProtectedData module for credential encryption. Then you can just secure the pfx to an AD group or password. So if they can open/import the pfx, they can decrypt the object.

    https://www.powershellgallery.com/packages/ProtectedData/4.1.3

    Reply
  2. Michel de Rooij

    Protect-CmsMessage / Unprotect-CmsMessage. Then you need the certificate to encode (public key) or decode (private key) the message (or pw)

    Reply

Leave a Reply

%d bloggers like this: