Securely Storing a Password

Here's the scenario: You have a script that needs to access a static password which has to be stored in a file, but you do not want the password readable.  Here is a way to encrypt the password so that only you can read it.  Anyone else running the same code from any other account won't be able to read it.  Also, this password file will only be usable on that host. 

$passwd = "<PASSWORD>";
$passwdFile = "$passwordFolder/$env:USERNAME/encrypted.txt";

# to generate the password file

ConvertTo-SecureString -Force -AsPlainText $passwd | ConvertFrom-SecureString |
Set-Content -Encoding ASCII -Path $passwdFile;

# to decrypt the password

if ($secureString = Get-Content $passwdFile |
ConvertTo-SecureString -ErrorAction SilentlyContinue) {
$passwd = [System.Runtime.InteropServices.marshal]::PtrToStringAuto(
[System.Runtime.InteropServices.marshal]::SecureStringToBSTR($securestring)
);
} else {
Write-Warning "Unable to decrypt $passwdFile";
}

One caveat: if you use this for scheduled tasks with stored credentials (your own or a service account), make sure to require script signing on the computer and sign the script.  Otherwise, someone can modify the script to output the decrypted password to a plaintext file, defeating this whole exercise.

Comments

  • Anonymous
    March 07, 2013
    Back in October of 2012, I posted Securely Storing a Password , which showed the key commands to capture

  • Anonymous
    March 08, 2013
    Back in October of 2012, I posted Securely Storing a Password , which showed the key commands to capture

  • Anonymous
    March 08, 2013
    Back in October of 2012, I posted Securely Storing a Password , which showed the key commands to capture

  • Anonymous
    March 13, 2013
    Back in October of 2012, I posted Securely Storing a Password , which showed the key commands to capture

  • Anonymous
    April 25, 2013
    Back in October of 2012, I posted Securely Storing a Password , which showed the key commands to capture