how to read from encrypted file in powershell

lupinlicious 136 Reputation points
2022-12-08T16:08:01.747+00:00

Hello,

What I like to accomplish is to encrypt a Windows account password so it's not written in clear text in PSADT.
I'm deploying this over MDT with clear text (username and password) but would like to change so the password it not written in clear text.

I use the following line to encrypt the password, and this is done separately (outside of the PSADT) :

ConvertTo-SecureString "supersecretpassword" -AsPlainText -Force | ConvertFrom-SecureString | Out-File "D:\Password\userpassword.txt"  

I try to decrypt the file in PSADT with the following lines:

READ THE FILE AND CONVERT IT BACK TO A SECURE STRING  
$secure_str = gc -Path "$ScriptDirectory\SupportFiles\userpassword.txt"  
   
DECRYPT THE ORIGINAL TEXT  
  
    [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::  
    SecureStringToBSTR($($secure_str| Convertto-SecureString)));   

When I'm deploying the script over MDT I get the following error:

+ SecureStringtoBSTR($($secure.str|  
Convertto-SecureString)));  
  
Error Inner Exceptions  

However, if I'm running the script in Powershell ISE and I can see the password, which seems to successfully decrypted the file.

I'm running PSADT 3.8.4

Windows for business Windows Client for IT Pros Devices and deployment Set up, install, or upgrade
Windows for business Windows Server User experience PowerShell
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. lupinlicious 136 Reputation points
    2022-12-09T10:07:38.677+00:00

    Thank you @Rich Matheisen

    I did the following and it seems to work:

    $File = "D:\test3\Password.txt"  
    [Byte[]] $key = (1..16)  
    $Password = "supersecret" | ConvertTo-SecureString -AsPlainText -Force  
    $Password | ConvertFrom-SecureString -key $key | Out-File $File  
      
    $KeyFile = "D:\test3\AES.key"  
    $Key = New-Object Byte[] 16   
    [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)  
    $Key | out-file $KeyFile  
    

    And from the PSADT script, I added:

    	$File = "$ScriptDirectory\SupportFiles\Password.txt"  
    	[Byte[]] $key = (1..16)  
    	Get-Content $File | ConvertTo-SecureString -Key $key  
    

    The AES.key is stored somewhere else.

    I would like to continue and test out the xml file you're mentioning about.
    Do you know a good link where I can look and try out the XML?
    I'm not sure what "create a credential on each machine" means, like user account or something else?

    Thank you!

    1 person found this answer helpful.
    0 comments No comments

  2. Rich Matheisen 47,901 Reputation points
    2022-12-08T19:07:42.197+00:00

    You can't do that. The string is encrypted using the encryption key on the local ("MachineA) machine. When you try to decrypt the string on another machine ("MachineB") it's going to use the encryption key on that machine.

    You can use your own key to do the encryption (use the "-Key" parameter) and then use that same key to decrypt in on the other machine. That's not very secure though; passing the key along with the encrypted string isn't much better than using Base64 encoding (obfuscation vs. security).

    The most secure way would be to create a credential on each machine, export that to an XML file and then secure the file using the file system security.

    0 comments No comments

  3. lupinlicious 136 Reputation points
    2022-12-09T12:32:14.483+00:00

    I got it to work with the XML, not sure if this is what you meant @Rich Matheisen

    Is this the most secure way to do this?

    $secureStringPassword = ConvertTo-SecureString -String 'supersecretpassword' -AsPlainText -Force  
    $credential = [PSCredential]::new( 'lab', $secureStringPassword )   
    $credential = New-Object -TypeName PSCredential -ArgumentList 'lab', $secureStringPassword  
    $credential | Export-Clixml D:\test4\mycredential.xml  
    

    and inside of PSADT i added the following:

    $credential = Get-Content -Path "$ScriptDirectory\SupportFiles\mycredential.xml"   
    $credentialXML = [Xml] (Get-Content -Path "$ScriptDirectory\SupportFiles\mycredential.xml")  
    

    What is the differences between these two methods?

    Thaanks!


  4. Rich Matheisen 47,901 Reputation points
    2022-12-09T15:57:54.707+00:00

    Have a look at the answer in this link: save-pscredential-in-the-file

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.