Powershell: Securing credentials using the PSCredential class

This a pretty old one but a script block at times I revert back to in particular when there is a requirement to specify user credentials in order to complete a task.

When requiring to store credentials in a script block, these should not be entered in plain text from a security perspective and can can easily be secured by storing the password in an encrypted file and retrieving the credentials using the PSCredential class (System.Management.Automation.PSCredential).

As the file can only be decrypted by the user account to which the password was converted to a secure string, you will need to invoke the powershell session as this user. For example, to retrieve the encrypted credentials as a service account you will need to invoke powershell as the alternative user.

By specifying the ‘Get-Credential’ cmdlet we can enter the user credentials we require to be encrypted, pass these to the ‘ConvertFrom-SecureString’ cmdlet and finally save to a text file the encrypted string.

$Credentials = Get-Credential
$Credentials.Password | ConvertFrom-SecureString | Set-Content D:\Secure\password.txt

Now, it is time to compile the script block to retrieve the encrypted content and convert the encrypted string to a secure string using the ‘ConvertTo-SecureString’ cmdlet.

$Password = Get-Content "D:\Secure\password.txt" | ConvertTo-SecureString

Now we will specify the username for the credentials

$Username = "user1@domain.local"

Now we can invoke the PSCredential class to retrieve the previously encrypted string and going forward use the ‘$Username’ and ‘$Password’ variables in the powershell session for authentication.

$Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password
$Password = $Credentials.GetNetworkCredential().Password

One thought on “Powershell: Securing credentials using the PSCredential class

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s