Saving passwords securely in Powershell

By | 2015-10-04

When dealing with passwords in unattended installations, the challenge is always if the password is securly stored.
One way to deal with it is to use “Read-Host -AsSecureString” on the target server from within the script.
But when dealing with a lot of passwords in 1 script, this will cause a lot of prompts.
You could save every password with the ConvertFrom-SecureString function, the default uses a User specific masterkey (through Data Protection API – DPAPI) so it can only be used when the script is run as the same user. Also it is easy to get the password through reversing this as that same user.

Get plain password from securestring:



To overcome both problems we need something better. This is where a custom key can be used with the ConvertFrom-SecureString function. The key must be in byte format and must be 16, 24 or 32 characters long.

Then you only have to ask once for a key and you can use that to decrypt all passwords that are stored in the script or in configuration files.

An alternative to this manually defined key is using a random 32bit key:

This random key is not a solution in itself, because you can’t remember it, so we need to provide this key and we can use a certificate, which provides encrypt and decrypt options of the previously used key. When encrypting the key with a specific certificate, we can provide the key to anyone who has the certificate that is needed to decrypt this key, after which we can use the decrypted key to decrypt the passwords.

In this case the steps would be:

  1. Create byte key (random generated, or a specific passphrase)
  2. Make securestrings of passwords
  3. Convert (encrypt) securestrings with key
  4. encrypt key with certificate
  5. provide encrypted key (or have it entered when its a passphrase) and encrypted passwords
  6. decrypt key with certificate
  7. decrypt passwords with the key

Read more on:

Leave a Reply

Your email address will not be published. Required fields are marked *