Converting Secure String
I recently heard a question about ConvertTO-SecureString and ConvertFrom-SecureString.
These CMDLets may be a little confusing so let’s talk a little about them.
Before you read the rest, it is key to understand what a Secure String actually is.
A Secure String is simple text that is encrypted in memory. This lets you store passwords or other secure data in memory without having to concern yourself with someone snooping your session or dumping your memory contents to get your data.
More Info Here
http://msdn2.microsoft.com/en-us/library/system.security.securestring.aspx
ConvertTo-SecureString: http://technet.microsoft.com/en-us/library/bb978707.aspx
I think this where it gets a little confusing for people. ConvertTo is meant to take an encrypted string and store it as a Secure String. Specificially for the output from ConvertFrom-SecureString. It will allow you use -asPlainText w/ -Force if you just want to convert a piece of text to Secure String.
ConvertFrom-SecureString: http://technet.microsoft.com/en-us/library/bb978629.aspx
This is used to convert a Secure String to text. It is import to note…. this is NOT the original text but the string representation of the encryption. This is a great tool for exporting the Secure String to a file in an encrypted form.
One other note before I show the code. By default (unless you provide a key) it uses Windows Data Protection API (DPAPI). This is VERY important. This process it is fairly secure, but can only decrypted by you on that specific machine. On the flip side… using a Key is not near as secure and some would argue security by obscurity.
Now… lets look at what we have… nothing magic here. We have three functions Export-EncryptedText. Import-EncryptedText, and Get-EncryptedText.
Export-EncryptedText: This gets a Secure String and exports to a file
Import-EncryptedText: This imports a Secure String Text from a file and returns a Secure String
Get-EncryptedText: This converts a Secure String into the orginal Text
We use “Read-Host -AsSecureString” to create convert our text to a secure string.
param($text,$file,$key)
if($key){ConvertFrom-SecureString -SecureString $text -key $key | out-file $file}
else{ConvertFrom-SecureString -SecureString $text | out-file $file}
}
function Import-EncryptedText{
Param($file,$key)
$textFromFile = Get-Content $file
if($key){ConvertTO-SecureString $TextFromFile -key $key}
else{ConvertTO-SecureString $TextFromFile}
}
function Get-EncryptedText($text) {
$Ptr = [System.Runtime.InteropServices.Marshal ]::SecureStringToCoTaskMemUnicode($text)
$result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
$result
}
# Example Use
$dataToStore = Read-Host -AsSecureString
"My String To Encrypt Here"
# Key… needs to be a 16, 24, or 32 byte array
$key = (200..231)
# Use this to put the password in a file
Export-EncryptedText -text $dataToStore -file c:\data\testfile.secure -key $key
# To get the password back you do this
$myText = Import-EncryptedText c:\data\testfile.secure -key $key
# To see the text use Get-SecurePass
Get-EncryptedText $myText
tshell :: Jan.17.2008 :: .NET, All, HowTo, Powershell, Scripting :: No Comments »
[...] Secure String Followup As a follow up on Converting Secure String discussed here: http://bsonposh.com/modules/wordpress/?p=66 Joel “Jaykul” Bennett released this script: http://www.powershellcentral.com/scripts/116 This is a slightly more secure way to store passwords in a text file for use later. Check it out. [...]