how to read from encrypted file in powershell

Question

Hello,

What I like to accomplish is to encrypt a Windows account password so it's not written in clear text in PSADT.
I'm deploying this over MDT with clear text (username and password) but would like to change so the password it not written in clear text.

I use the following line to encrypt the password, and this is done separately (outside of the PSADT) :

ConvertTo-SecureString "supersecretpassword" -AsPlainText -Force | ConvertFrom-SecureString | Out-File "D:\Password\userpassword.txt"  

I try to decrypt the file in PSADT with the following lines:

READ THE FILE AND CONVERT IT BACK TO A SECURE STRING  
$secure_str = gc -Path "$ScriptDirectory\SupportFiles\userpassword.txt"  
   
DECRYPT THE ORIGINAL TEXT  
  
    [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::  
    SecureStringToBSTR($($secure_str| Convertto-SecureString)));   

When I'm deploying the script over MDT I get the following error:

+ SecureStringtoBSTR($($secure.str|  
Convertto-SecureString)));  
  
Error Inner Exceptions  

However, if I'm running the script in Powershell ISE and I can see the password, which seems to successfully decrypted the file.

I'm running PSADT 3.8.4

Answer 1

Thank you @Rich Matheisen

I did the following and it seems to work:

$File = "D:\test3\Password.txt"  
[Byte[]] $key = (1..16)  
$Password = "supersecret" | ConvertTo-SecureString -AsPlainText -Force  
$Password | ConvertFrom-SecureString -key $key | Out-File $File  
  
$KeyFile = "D:\test3\AES.key"  
$Key = New-Object Byte[] 16   
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)  
$Key | out-file $KeyFile  

And from the PSADT script, I added:

	$File = "$ScriptDirectory\SupportFiles\Password.txt"  
	[Byte[]] $key = (1..16)  
	Get-Content $File | ConvertTo-SecureString -Key $key  

The AES.key is stored somewhere else.

I would like to continue and test out the xml file you're mentioning about.
Do you know a good link where I can look and try out the XML?
I'm not sure what "create a credential on each machine" means, like user account or something else?

Thank you!

Answer 2

You can't do that. The string is encrypted using the encryption key on the local ("MachineA) machine. When you try to decrypt the string on another machine ("MachineB") it's going to use the encryption key on that machine.

You can use your own key to do the encryption (use the "-Key" parameter) and then use that same key to decrypt in on the other machine. That's not very secure though; passing the key along with the encrypted string isn't much better than using Base64 encoding (obfuscation vs. security).

The most secure way would be to create a credential on each machine, export that to an XML file and then secure the file using the file system security.

Answer 3

I got it to work with the XML, not sure if this is what you meant @Rich Matheisen

Is this the most secure way to do this?

$secureStringPassword = ConvertTo-SecureString -String 'supersecretpassword' -AsPlainText -Force  
$credential = [PSCredential]::new( 'lab', $secureStringPassword )   
$credential = New-Object -TypeName PSCredential -ArgumentList 'lab', $secureStringPassword  
$credential | Export-Clixml D:\test4\mycredential.xml  

and inside of PSADT i added the following:

$credential = Get-Content -Path "$ScriptDirectory\SupportFiles\mycredential.xml"   
$credentialXML = [Xml] (Get-Content -Path "$ScriptDirectory\SupportFiles\mycredential.xml")  

What is the differences between these two methods?

Thaanks!

Answer 4

Have a look at the answer in this link: save-pscredential-in-the-file