Encrypt a Password with PowerShell for use by a Different User and/or on a Different Computer

Storing a password in an encrypted file for use by the same user on the same computer using PowerShell is fairly easy, but storing a password in an encrypted file for use on another computer or by another user is a bit more challenging. It requires the use of a key file and of course if someone else can read the key file, then they also can decrypt the password.

In my scenario, I work in a VDI (Virtual Desktop Infrastructure) environment that doesn't use persistent desktops and I need to have a certificate available to decrypt emails from certain individuals. The certificate is password protected and does not exist in the certificate store each time I logon.

I'll start out by defining a few things such as the files and my super secure password that will be used throughout this blog article:

1$EncryptionKeyFile = 'C:\tmp\registry-backup070517.reg'
2$PasswordFile = 'C:\tmp\license-key.txt'
3$Password = 'MyP@ssW0rd'

Don't make things too easy for someone trying to find your key file. Notice that the file for mine uses a naming convention that appears to be a registry key backup and the encrypted password has a file name that appears to be a license key. Also consider setting NTFS permissions on these files so only the necessary users and/or computers have access to them.

Create a 256 bit AES key that's an array of thirty-two 8 bit unsigned integers. This will be used as the encryption key:

1Get-Random -Count 32 -InputObject (0..255) |
2Out-File -FilePath $EncryptionKeyFile

Encrypt the password with the previously generated key and store it in a file:

1ConvertTo-SecureString -String $Password -AsPlainText -Force |
2ConvertFrom-SecureString -Key (Get-Content -Path $EncryptionKeyFile) |
3Out-File -FilePath $PasswordFile

Now for the command I want to run when I login to my VDI computer that imports the certificate:

1Import-PfxCertificate -FilePath C:\tmp\BrowserCertificate.p12 -Password (Get-Content -Path C:\tmp\pass.txt |
2ConvertTo-SecureString -Key (Get-Content -Path C:\tmp\registry-backup070517.key)) -CertStoreLocation Cert:\CurrentUser\My -Exportable

The problem is that as soon as someone looks at the file I plan to save that command in, they will know exactly how to decrypt the password. I'll obfuscate the command to at least make it a little more difficult for them.

1[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('Import-PfxCertificate -FilePath C:\tmp\BrowserCertificate.p12 -Password (Get-Content -Path C:\tmp\pass.txt | ConvertTo-SecureString -Key (Get-Content -Path C:\tmp\registry-backup070517.key)) -CertStoreLocation Cert:\CurrentUser\My -Exportable'))

The results will definitely keep what I'm doing more secure than plain text.

1SQBtAHAAbwByAHQALQBQAGYAeABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgAEMAOgBcAHQAbQBwAFwAQgByAG8AdwBzAGUAcgBDAGUAcgB0AGkAZ
2gBpAGMAYQB0AGUALgBwADEAMgAgAC0AUABhAHMAcwB3AG8AcgBkACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIABDADoAXAB0AG0AcABcAHAAYQBzAHMALg
3B0AHgAdAAgAHwAIABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBLAGUAeQAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdAB
4oACAAQwA6AFwAdABtAHAAXAByAGUAZwBpAHMAdAByAHkALQBiAGEAYwBrAHUAcAAwADcAMAA1ADEANwAuAGsAZQB5ACkAKQAgAC0AQwBlAHIAdABTAHQAbwByAGUATABvAGMAYQB0
5AGkAbwBuACAAQwBlAHIAdAA6AFwAQwB1AHIAcgBlAG4AdABVAHMAZQByAFwATQB5ACAALQBFAHgAcABvAHIAdABhAGIAbABlAA==

Now I just need to add the following command to a bat or cmd file that's in the startup for my user on my VDI computer and I'll be all set:

1powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand SQBtAHAAbwByAHQALQBQAGYAeABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgAEMAOgBcAHQAbQBwAFwAQgByAG8AdwBzAGUAcgBDAGUAcgB0AGkAZ
2gBpAGMAYQB0AGUALgBwADEAMgAgAC0AUABhAHMAcwB3AG8AcgBkACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIABDADoAXAB0AG0AcABcAHAAYQBzAHMALg
3B0AHgAdAAgAHwAIABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBLAGUAeQAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdAB
4oACAAQwA6AFwAdABtAHAAXAByAGUAZwBpAHMAdAByAHkALQBiAGEAYwBrAHUAcAAwADcAMAA1ADEANwAuAGsAZQB5ACkAKQAgAC0AQwBlAHIAdABTAHQAbwByAGUATABvAGMAYQB0
5AGkAbwBuACAAQwBlAHIAdAA6AFwAQwB1AHIAcgBlAG4AdABVAHMAZQByAFwATQB5ACAALQBFAHgAcABvAHIAdABhAGIAbABlAA==

I recently wrote a blog article on Simple Obfuscation with PowerShell using Base64 Encoding that you might also find interesting.

µ