Secure Password with PowerShell encryption



Today we will look into the encryption using PowerShell

We usually when working on the elevated privileges, would like to have the security of the script so that the credentials are not compromised. So today I will be discussing it.

Machine Specific Encryption

The simplest way is to Secure the string and keep that in the file. so then the encrypted string cannot be compromised

ENCRYPTION


$securePassword = "Password@1234" | ConvertTo-SecureString -AsPlainText -Force
$encrypted = $securePassword | ConvertFrom-SecureString | Out-File -FilePath "C:\Secured\Encrypted.txt"

This will export the password into the encryption format using the default machine keys. to retrieve the password into the plaint text or secure string use the below code

DECRYPTION

# Returns the password as the secure string
$securePassword = Get-Content -Path "C:\Secured\Encrypted.txt" | ConvertTo-SecureString
    
 # Returns the plain text of the password
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePassword))


If you try to read the key on some other machine, then this will fail as the keys used to encrypt the code was used were unique to every machine. This is very good if your script is limited to a single machine only. But in case if the script needs to be executed on different machines then this is not a good way of doing it.

Machine Independent Encryption

To make the machine-independent encryption we will add one more parameter, which will encrypt the password with the AES Encryption, which can be 28-bit (16 bytes), 193-bit (24 bytes), 192-bit(24 bytes), or 256-bit (32 bytes).

There are multiple ways how you can generate this key

    
# 16 bytes
    [Byte[]] $key = (12345678910111213141516)
    # OR
    # 32 bytes
    [Byte[]] $key = (1..32)


The above keys are very easy to predict, so it better is to keep these keys unique

To make it more secure I will create a custom key, so that the control over the key also remains  as it will prompt if the given key is not strong

# Prompts for the encryption key and get the bytes
    $key = Read-Host "Enter the Key" -AsSecureString
    $encoder = New-Object System.Text.UTF32Encoding
    $bytes = $encoder.GetBytes([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($key)))


Once we get the keys we will encrypt the key and get the output to a file so that whenever we need to execute the script it can be retrieved and used with the same key

ENCRYPTION


    # Prompts for the encryption key and get the bytes
    $key = Read-Host "Enter the Key" -AsSecureString
    $encoder = New-Object System.Text.UTF32Encoding
    $bytes = $encoder.GetBytes([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($key)))
    
    $securePassword = "Password@1234" | ConvertTo-SecureString -AsPlainText -Force
    $securePassword | ConvertFrom-SecureString  -key $bytes | Out-File -FilePath "C:\Secured\Encrypted.txt"


To decrypt and use the key, Use the below code.

DECRYPTION


    # Prompts for the encryption key and get the bytes
    $key = Read-Host "Enter the Key" -AsSecureString
    $encoder = New-Object System.Text.UTF32Encoding
    $bytes = $encoder.GetBytes([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($key)))
    # Returns the password as the secured string, ca be used in PSCredentials
    $securePassword = Get-Content -Path "C:\Secured\Encrypted.txt" | ConvertTo-SecureString -key $bytes
    
    # * Returns the plain text of the password
    [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePassword))
    


Conclusion:

In this blog post, I have showcased how to secure your keys in the PowerShell. It can be secured at both levels if it only needs to be executed on to a single server/machine i.e.. the encryption is machine specific and cannot be executed onto other machines and the encryption can be machine-independent and let you choose the keys.

Hope this article will help you

Happy Coding..!!!

Comments

Popular posts from this blog

Sorting in Typescript (Simple Arrays & Array of Objects)

SharePoint Framework (SPFx) Tab Control (react)

SPFx Chat Bot - using SharePoint Framework Extension