Secure Password with PowerShell encryption



Today we will look into the encryption using PowerShell

We usually when working on the elevated privileges, would like to have the security of the script so that the credentials are not compromised. So today I will be discussing it.

Machine Specific Encryption

The simplest way is to Secure the string and keep that in the file. so then the encrypted string cannot be compromised

ENCRYPTION


$securePassword = "Password@1234" | ConvertTo-SecureString -AsPlainText -Force
$encrypted = $securePassword | ConvertFrom-SecureString | Out-File -FilePath "C:\Secured\Encrypted.txt"

This will export the password into the encryption format using the default machine keys. to retrieve the password into the plaint text or secure string use the below code

DECRYPTION

# Returns the password as the secure string
$securePassword = Get-Content -Path "C:\Secured\Encrypted.txt" | ConvertTo-SecureString
    
 # Returns the plain text of the password
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePassword))


If you try to read the key on some other machine, then this will fail as the keys used to encrypt the code was used were unique to every machine. This is very good if your script is limited to a single machine only. But in case if the script needs to be executed on different machines then this is not a good way of doing it.

Machine Independent Encryption

To make the machine-independent encryption we will add one more parameter, which will encrypt the password with the AES Encryption, which can be 28-bit (16 bytes), 193-bit (24 bytes), 192-bit(24 bytes), or 256-bit (32 bytes).

There are multiple ways how you can generate this key

    
# 16 bytes
    [Byte[]] $key = (12345678910111213141516)
    # OR
    # 32 bytes
    [Byte[]] $key = (1..32)


The above keys are very easy to predict, so it better is to keep these keys unique

To make it more secure I will create a custom key, so that the control over the key also remains  as it will prompt if the given key is not strong

# Prompts for the encryption key and get the bytes
    $key = Read-Host "Enter the Key" -AsSecureString
    $encoder = New-Object System.Text.UTF32Encoding
    $bytes = $encoder.GetBytes([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($key)))


Once we get the keys we will encrypt the key and get the output to a file so that whenever we need to execute the script it can be retrieved and used with the same key

ENCRYPTION


    # Prompts for the encryption key and get the bytes
    $key = Read-Host "Enter the Key" -AsSecureString
    $encoder = New-Object System.Text.UTF32Encoding
    $bytes = $encoder.GetBytes([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($key)))
    
    $securePassword = "Password@1234" | ConvertTo-SecureString -AsPlainText -Force
    $securePassword | ConvertFrom-SecureString  -key $bytes | Out-File -FilePath "C:\Secured\Encrypted.txt"


To decrypt and use the key, Use the below code.

DECRYPTION


    # Prompts for the encryption key and get the bytes
    $key = Read-Host "Enter the Key" -AsSecureString
    $encoder = New-Object System.Text.UTF32Encoding
    $bytes = $encoder.GetBytes([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($key)))
    # Returns the password as the secured string, ca be used in PSCredentials
    $securePassword = Get-Content -Path "C:\Secured\Encrypted.txt" | ConvertTo-SecureString -key $bytes
    
    # * Returns the plain text of the password
    [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePassword))
    


Conclusion:

In this blog post, I have showcased how to secure your keys in the PowerShell. It can be secured at both levels if it only needs to be executed on to a single server/machine i.e.. the encryption is machine specific and cannot be executed onto other machines and the encryption can be machine-independent and let you choose the keys.

Hope this article will help you

Happy Coding..!!!

Comments

Post a Comment

Popular posts from this blog

Rename Folder using Microsoft Flow / Power Automate in a Document Library in SharePoint Online

Image
Hi Friends, Today blog is about renaming the folder in the document library using the MS FLOW or MS Power Automate. When I started working on this it seems to be an easy job, but if you look into the connectors you'll find it really difficult as there is no straight forwards connector to do the job. Issues encountered If you try using the " Get Folder Metadata " connector, you'll not be able to get the ID of the folder as it is returning as the negative value. If you get the ID somehow and try to update the folder name using the " Update File Properties " connector, you'll end up renaming only the title of the folder, but it will still have the old name as the display name which in case is again a failure. There is no other connector which can be utilized to achieve the task of renaming the folder in a document library directly. Solution The solution is a simple three-step (at least in this example). Step 1: Initialize variables In case you are computing
Read more

Power Automate: How to Add "New Line" to the text in SharePoint multiline text field

Image
  Q. How to add "New Line", while adding the text to the SharePoint multiline text field?  A . In order to add the new line while adding a text to the multiline SharePoint field, I will demonstrate the simplest approach. Although you can find multiple approaches, but this one seems to be very easy and quick. You need to append the below expression to the text to make it to the new line: decodeUriComponent('%0A') If you are adding any array, then join the array using this expression or if you are building this string, then append this expression to the string. Step 1:  Add a variable and add the below expression (Write the code under the Expression tab) STEP 2: This is how your variable will look like      STEP 3: Output of the Address columns which is of Type Multiline text field Happy Coding..!! #Microsft #SharePointWidgets #PowerAutomate
Read more

Power Automate: Rename file in SharePoint Online

Image
  We often get to change the name of the file, so in this article, I will explain how to rename the file in SharePoint Online using Microsoft Power Automate. Below is the file which I will be renaming. Step 1: Get the file properties We only need to have the SharePoint item id, for which we want to rename the file Step 2: Update the File Name Add the "Send an HTTP request to SharePoint" connector, and update the following properties Method : POST Uri : _api/web/lists/GetByTitle(' <LIBRARY TITLE> ')/items( <ITEM ID> )/ValidateUpdateListItem Body: {     "formValues" :[         {             "FieldName" : "FileLeafRef" ,             "FieldValue" : "<New File Name>"         }     ] } Execute the flow, and the file will be renamed Happy Automating..!! #PowerAutomate #SharePointWidgets #Microsoft
Read more