Tag: encrypted

Launch another process with Encrypted Credential (Powershell)

First create an AES key and output it to a file. (reference here)

$KeyFile = "C:\ps\s\AESKey\AES.key"
$Key = New-Object Byte[] 16   # You can use 16, 24, or 32 for AES
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
$Key | out-file $KeyFile

 
Second, use the AES key we created in the first step to encrypt the password and output it to a file.

$PasswordFile = "C:\ps\s\AESKey\pwd.txt"
$KeyFile = "C:\ps\s\AESKey\AES.key"
$Key = Get-Content $KeyFile
$Password = "Y0urS3curePa$$w0rd." | ConvertTo-SecureString -AsPlainText -Force
$Password | ConvertFrom-SecureString -key $Key | Out-File $PasswordFile

 
Now, you got a password file which can only be decrypted by that Key you created in first step.

Here is a snippet on how to create a powershell encrypted credential, and use it to launch another process.

# use the passwordfile, and key created earlier
$MyCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $PasswordFile | ConvertTo-SecureString -Key $key)

# Lauch another process with other credential from the user's powershell session
# This is useful if the user only has normal right, and you could launch it with another credential whom has admin right.
Start-Process powershell.exe -Credential $MyCredential -WindowStyle Hidden -ArgumentList "Start-Process $($Program) -Wait -ErrorAction SilentlyContinue"

 

Please take step to protect that keyfile!

Posted on by kuan

Secure Password & Key with Powershell

To encrypt credential which works on different computer(s), you need to generate the key and the encrypted password file.

After you have both key and encrypted file, you could run powershell using that credential generated.

Here is the reference which I referred on.

Creating AES key with random data and export to file:

$KeyFile = "\\Machine1\SharedPath\AES.key"
$Key = New-Object Byte[] 16   # You can use 16, 24, or 32 for AES
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
$Key | out-file $KeyFile

Creating SecureString object

$PasswordFile = "\\Machine1\SharedPath\Password.txt"
$KeyFile = "\\Machine1\SharedPath\AES.key"
$Key = Get-Content $KeyFile
$Password = "P@ssword1" | ConvertTo-SecureString -AsPlainText -Force
$Password | ConvertFrom-SecureString -key $Key | Out-File $PasswordFile

Creating PSCredential object

$User = "MyUserName"
$PasswordFile = "\\Machine1\SharedPath\Password.txt"
$KeyFile = "\\Machine1\SharedPath\AES.key"
$key = Get-Content $KeyFile
$MyCredential = New-Object -TypeName System.Management.Automation.PSCredential `
 -ArgumentList $User, (Get-Content $PasswordFile | ConvertTo-SecureString -Key $key)

Example of how to use PSCredential to map network drive:

New-PSDrive -Name P -PSProvider FileSystem -Root $UNC_PATH -Credential $MyCredential -Persist

* Keep the key file somewhere safe, because it is the key that could encrypt/decrypt the password file.

Posted on by kuan

Password encrypted as SecureString in powershell

Create a password file with securestring:

Read-Host -AsSecureString | ConvertFrom-SecureString | Out-File -FilePath C:\encrypted.securestring

Use the password file to create a PSCredential

$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "username",(Get-Content -Path C:\encrypted.securestring | ConvertTo-SecureString)

Reference here.

I realized that this encrypted password only work on the machine which encrypting it.
To have this works on a different computer(s), you would need the key and the encrypted file.

Posted on by kuan