How to use credentials in a PowerShell script?

A nightmare for many security auditors are the plain tekst Passwords in PowerShell scripts. Offcourse this is not nessecary, we can encrypt this in local files.

But there is a difference how to encrypt passwords. Tou can encrypt it with your “user account key” or system wide with a “MachineKeyStore”.
The second one (machine key) is handy when you need to run scheduled PowerShell scripts under different user accounts.

Save plain text password with Machine Key encryption using PowerShell.

<#
.DESCRIPTION
  Creating a credential file with machine key encryption.

.NOTES
  Version:        1.0
  Author:         http://www.robvit.com
  Creation Date:  17-8-2019
  Purpose/Change: Initial script development
  
.EXAMPLE
  $username = "robvit"
  $keystorename = "storeRobvit"
  $key = (2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,8,5,35,43,6,6,7,6,6,6,31,33,60,23) 
  GetSecureSystemCredentials -key $key -Keystorename $keystorename -username $username -credpath "c:\cred_$($username).xml"

#>


function GetSecureSystemCredentials {

    Param(
        
        $key,
        [string]$Keystorename,
        [string]$Credpath,
        [string]$UserName
    )                

        $csp = New-Object System.Security.Cryptography.CspParameters
        $csp.KeyContainerName = $keystorename
        $csp.Flags = $csp.Flags -bor [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore
        $rsa = New-Object System.Security.Cryptography.RSACryptoServiceProvider -ArgumentList 5120,$csp
        $rsa.PersistKeyInCsp = $true  

    if(!(Test-Path $credpath)) {Write-host "No Credentials Saved Yet. "
    
        $pass = Read-Host -AsSecureString -prompt "Enter a Password:"
        $securepass = $pass |ConvertFrom-SecureString -Key $key
        $bytes = [byte[]][char[]]$securepass            

        $encrypted = $rsa.Encrypt($bytes,$true)
        $encrypted | Export-Clixml $Credpath
        
        $password = [char[]]$rsa.Decrypt($encrypted, $true) -join "" |ConvertTo-SecureString -Key $key
        $cred = New-Object System.Management.Automation.PsCredential $Username,$password
    
    } Else {

        $encrypted = Import-Clixml $Credpath
        $password = [char[]]$rsa.Decrypt($encrypted, $true) -join "" |ConvertTo-SecureString -Key $key
        $cred = New-Object System.Management.Automation.PsCredential $Username,$password

    }

    $cred

}

$username = "robvit"
$keystorename = "storeRobvit"
$key = (2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,8,5,35,43,6,6,7,6,6,6,31,33,60,23) 
$cred = GetSecureSystemCredentials -key $key -Keystorename $keystorename -username $username -credpath "c:\cred_$($username).xml"
$cred

Save plain text password with User Key encryption using PowerShell.

<#
.DESCRIPTION
  Creating a secure credential file with user key encryption.

.NOTES
  Version:        1.0
  Author:         http://www.robvit.com
  Creation Date:  17-8-2019
  Purpose/Change: Initial script development
  
.EXAMPLE
  $username = "robvit"
  $keystorename = "storeRobvit"
  $key = (2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,8,5,35,43,6,6,7,6,6,6,31,33,60,23) 
  GetSecureSystemCredentials -key $key -Keystorename $keystorename -username $username -credpath "c:\cred_$($username).xml"

#>


function GetEncryptedUserKeyPassword {

    Param (
        [string]$Username,
        [string]$Credpath

    )

    if(!(Test-Path $credpath)) { Get-Credential -UserName $Username -Message "Enter the credentials for Username $($Username)" | Export-CliXml $credpath }
    $cred = import-clixml -path $credpath

    $cred

}

$Username = "robvit"
$credpath = "$env:USERPROFILE\Cred_$($Username).xml"
$cred = GetEncryptedUserKeyPassword -Username $username -Credpath $credpath
$cred

The post How to use credentials in a PowerShell script? appeared first on Rob V IT.