Posts RSS Comments RSS 241 Posts and 341 Comments till now

Using Get-Credential to Store Passwords “securely” in a file.

Lee Holmes of PowerShell Cookbook fame has a post here Importing and Exporting Credentials in PowerShell. After fielding a few questions on EE regarding this post.. I wrote these two scripts to make it a little simpler.

Set-myCredential: This will prompt you for credentials and store them in the file specified.

#####################
#Set-myCredential.ps1
Param($File)
$Credential = Get-Credential
$credential.Password | ConvertFrom-SecureString | Set-Content $File
#####################

Get-myCredential: This will get you credentials from a file specified. It require you know the user name.

#####################
#Get-myCredential.ps1
Param($User,$File)
$password = Get-Content $File | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PsCredential($user,$password)
$credential
#####################

With these two script you can do something like this (using VMware Toolkit for example.)

c:\scripts\Set-myCredential.ps1 c:\tools\mp.txt
$creds = c:\scripts\Get-myCredential.ps1 MyUserName c:\tools\mp.txt
Get-ViServer MyVirtualCenter -cred $creds

10 Responses to “Using Get-Credential to Store Passwords “securely” in a file.”

  1. on 05 Jul 2008 at 12:47 pmglnsize

    Forgive my ignorance on this topic, but am I correct in assuming that there is not way to convert that into clear text?

    Also not trying to nit-pick because I use a similar script, but it is not secure. All someone needs to know is the user name, and location of the file… That is unless you use EFS on your password file :)

  2. on 05 Jul 2008 at 1:34 pmtshell

    It is secure in the that it is encrypted similar to EFS. The only one who can decrypte the text is the user that encrypted it. The need for the user name is because the credential object needs to know who the password is for :)

    I have to say. It is funny you brought this up though.. I have been debating a blog post planned on storing the password in a secure fashion so it can be used by multiple users.

  3. on 14 Jul 2008 at 3:42 pmMartin Zugec

    Heya tshell,

    that is not exactly correct… Following code will show password in plaintext:

    $credential = New-Object System.Management.Automation.PsCredential(“MyFakeID”,$password)
    $credential.GetNetworkCredential()

    That is something I really don’t like about SecureString – it is not really secure once you know it is SecureString :(

    Martin

  4. on 14 Jul 2008 at 4:44 pmtshell

    While I agree that $credential.GetNetworkCredential() will return the password in clear text, that is only because you (the user) are the one that encrypted the string wit your (the User) key. They call it a securestring because it is stored “securely” in memory.

    If I use Get-Credential and export it to file using ConvertFROM/TO-securestring you (a different user) will not be able to use it. Only I (orginal user) can decrypte which is ok since I was the to supply it to begin with.

  5. on 12 Jul 2009 at 5:49 pmWayne

    Thanks for the info!

  6. on 04 Nov 2009 at 10:42 amIskondi

    Perhaps I’m doing something wrong, but when I store the credentials in a file and then try and use that file from another machine it won’t function, which defeats the purpose for me…. I’m trying to write a post install script that will join up with the domain but since the credential file will ONLY work on the machine it was created on there is no point in my using it…

    I’m assuming I’m doing something stupid…
    Thanks!
    Iskondi

  7. on 05 Nov 2009 at 8:59 amtshell

    That is a bug in V1 and should work in v2 (haven’t tested it)

  8. on 08 Jan 2010 at 2:33 amhovelsj

    I use v2 and experience the same problem as “Iskondi”.

  9. on 11 Jan 2010 at 6:07 amtshell

    Are you using XP with V2?

  10. on 14 Jan 2010 at 1:41 pmAaron Dodd

    For those needing to store a password to use on multiple machines/accounts, you can do the following:

    $User = “domain\someuser”
    $Pass = ConvertTo-SecureString “plaintextpassword” -AsPlainText -Force
    $Credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Pass

    Then you can pass the $Credentials object to whatever requires the authentication.

    This kind of defeats the “security” of the SecureString but then the whole concept seems geared towards keeping secure input you’re prompted for. Its “more secure” to save the password to the text file as discussed above, but to do so as the user that will be running the script.

Trackback this post | Feed on Comments to this post

Leave a Reply

CAPTCHA image