Using Get-Credential to Store Passwords “securely” in a file.
Lee Holmes of PowerShell Cookbook fame has a post here Importing and Exporting Credentials in PowerShell. After fielding a few questions on EE regarding this post.. I wrote these two scripts to make it a little simpler.
Set-myCredential: This will prompt you for credentials and store them in the file specified.
#####################
#Set-myCredential.ps1
Param($File)
$Credential = Get-Credential
$credential.Password | ConvertFrom-SecureString | Set-Content $File
#####################
#Set-myCredential.ps1
Param($File)
$Credential = Get-Credential
$credential.Password | ConvertFrom-SecureString | Set-Content $File
#####################
Get-myCredential: This will get you credentials from a file specified. It require you know the user name.
#####################
#Get-myCredential.ps1
Param($User,$File)
$password = Get-Content $File | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PsCredential($user,$password)
$credential
#####################
#Get-myCredential.ps1
Param($User,$File)
$password = Get-Content $File | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PsCredential($user,$password)
$credential
#####################
With these two script you can do something like this (using VMware Toolkit for example.)
c:\scripts\Set-myCredential.ps1 c:\tools\mp.txt
$creds = c:\scripts\Get-myCredential.ps1 MyUserName c:\tools\mp.txt
Get-ViServer MyVirtualCenter -cred $creds
$creds = c:\scripts\Get-myCredential.ps1 MyUserName c:\tools\mp.txt
Get-ViServer MyVirtualCenter -cred $creds
Forgive my ignorance on this topic, but am I correct in assuming that there is not way to convert that into clear text?
Also not trying to nit-pick because I use a similar script, but it is not secure. All someone needs to know is the user name, and location of the file… That is unless you use EFS on your password file
It is secure in the that it is encrypted similar to EFS. The only one who can decrypte the text is the user that encrypted it. The need for the user name is because the credential object needs to know who the password is for
I have to say. It is funny you brought this up though.. I have been debating a blog post planned on storing the password in a secure fashion so it can be used by multiple users.
Heya tshell,
that is not exactly correct… Following code will show password in plaintext:
$credential = New-Object System.Management.Automation.PsCredential(”MyFakeID”,$password)
$credential.GetNetworkCredential()
That is something I really don’t like about SecureString - it is not really secure once you know it is SecureString
Martin
While I agree that $credential.GetNetworkCredential() will return the password in clear text, that is only because you (the user) are the one that encrypted the string wit your (the User) key. They call it a securestring because it is stored “securely” in memory.
If I use Get-Credential and export it to file using ConvertFROM/TO-securestring you (a different user) will not be able to use it. Only I (orginal user) can decrypte which is ok since I was the to supply it to begin with.