Encrypt a Password with PowerShell for use by a Different User and/or on a Different Computer

Storing a password in an encrypted file for use by the same user on the same computer using PowerShell is fairly easy, but storing a password in an encrypted file for use on another computer or by another user is a bit more challenging. It requires the use of a key file and of course if someone else can read the key file, then they also can decrypt the password.

In my scenario, I work in a VDI (Virtual Desktop Infrastructure) environment that doesn’t use persistent desktops and I need to have a certificate available to decrypt emails from certain individuals. The certificate is password protected and does not exist in the certificate store each time I logon.

I’ll start out by defining a few things such as the files and my super secure password that will be used throughout this blog article:

Don’t make things too easy for someone trying to find your key file. Notice that the file for mine uses a naming convention that appears to be a registry key backup and the encrypted password has a file name that appears to be a license key. Also consider setting NTFS permissions on these files so only the necessary users and/or computers have access to them.

Create a 256 bit AES key that’s an array of thirty-two 8 bit unsigned integers. This will be used as the encryption key:

Encrypt the password with the previously generated key and store it in a file:

Now for the command I want to run when I login to my VDI computer that imports the certificate:

The problem is that as soon as someone looks at the file I plan to save that command in, they will know exactly how to decrypt the password. I’ll obfuscate the command to at least make it a little more difficult for them.

The results will definitely keep what I’m doing more secure than plain text.

Now I just need to add the following command to a bat or cmd file that’s in the startup for my user on my VDI computer and I’ll be all set:

If you know of a better way to shared a saved password within PowerShell between different users and/or computers, please share via a comment to this blog article.

I recently wrote a blog article on “Simple Obfuscation with PowerShell using Base64 Encoding” that you might also find interesting.

µ

3 Comments

  1. Thomas Malkewitz

    I use Dave Wyatt’s ProtectedData module for credential encryption. Then you can just secure the pfx to an AD group or password. So if they can open/import the pfx, they can decrypt the object.

    https://www.powershellgallery.com/packages/ProtectedData/4.1.3

    Reply
  2. Michel de Rooij

    Protect-CmsMessage / Unprotect-CmsMessage. Then you need the certificate to encode (public key) or decode (private key) the message (or pw)

    Reply
  3. Pablo

    Hello there,
    thank you so much for sharing this.

    I would like to add to your superb article, the explanation of the “AsPlainText” parameter of ConverTo-SecureString cmdlet:

    -AsPlainText
    Specifies a plain text string to convert to a secure string. The secure string cmdlets help protect confidential text. The text is encrypted for privacy and is deleted from computer memory after it is used. If you use this parameter to provide plain text as input, the system cannot protect that input in this manner. To use this parameter, you must also specify the Force parameter.

    In my opinion, this should be taken into consideration.

    KR,
    Pablo

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: