Explain secure password Encryption with PowerShell.

Many times we need to use passwords in PowerShell and need to pass it to the credential parameter and a password should be always a secure string, not a plain text. There are few methods to encrypt the password as mentioned below.

a) Get-Credential Format

We have one method where we can store the username and password is through cmdlet Get-Credential. It will provide a GUI prompt. You can store this password into a variable and use it later in the command.

$cred = Get-Credential

Credentials are stored into $cred variable. Here is the value of the variable. output below.

PS C:\WINDOWS\system32> $cred
UserName       Password
--------       --------
test       System.Security.SecureString

You can see the password is stored in the secure string. You can use the above variable with the credential parameter that cmdlet supports.

For example,

Invoke-Command -ComputerName Test-PC -ScriptBlock {Get-Service} -
Credential $cred

You can see how this password looks in encrypted form and for that, you need to use ConvertFrom-SecureString command.

PS C:\WINDOWS\system32> $cred.Password | ConvertFrom-SecureString 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fe83583138f0ce4bb0e3654f0529948100000000020000000000

b) Secure String Format

Another method to get the password in the secure string is to use the Read-Host command with –AsSecureString parameter.

PS C:\WINDOWS\system32> $passwd = Read-Host "Enter Password" -AsSecureString Enter Password: *******

You can use this password directly in the cmdlets that support the Credential parameter by creating a new PSCredential object as shown in the below example.

$username = Read-Host "Enter UserName"
$passwd = Read-Host "Enter Password" -AsSecureString

$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList

$username,$passwd Connect-VIServer -Server TestvCenter.lab -Credential $creds

When you check this password variable, it is also in the Secure.String format and again you can retrieve the encrypted password with ConvertFrom-SecureString pipeline command.

PS C:\WINDOWS\system32> $passwd

PS C:\WINDOWS\system32> $passwd | ConvertFrom-SecureString

Once your password string is secured, you can use directly it for the password. You don’t need to get the encrypted password with ConvertFrom-SecureString. It is just to see the password secure string.

c) Clear text format

What if the password is in the clear text format, you can use the clear text password directly in the command which supports the Password parameter but the below method is not recommended as it is in the clear text format and it can cause a major security breach. See the example below.

Connect-VIServer -Server TestvCenter.lab -User "Testadmin" -
Password "PowerShell"

You can convert the clear text password into a secure string format. This is useful when you have a password text file placed in a secure location and PowerShell need to use the password without cleartext. The process is shown below.

$passwd = "Test@123" | ConvertTo-SecureString -AsPlainText -Force

PS C:\WINDOWS\system32> $passwd

Now our password is secured and we can use it as a password in our credential. Here, we are connecting vCenter server named TestvCenter.lab with $cred parameter.

$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList “test”,$passwd

Connect-VIServer -Server TestvCenter.lab -Credential $creds

You can see the encrypted password with the method below. It is in the text encoded format, not the original password.

PS C:\WINDOWS\system32> $passwd | ConvertFrom-SecureString 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fe83583138f0ce4bb0e3654f052994810000000002

If you need to store this password in the file then you can use the above command.

PS C:\WINDOWS\system32> $passwd | ConvertFrom-SecureString | Out-File C:\Passwd.txt

But when you are retrieving back your password, you need to convert again to the Secure string format because the credential parameter only accepts the secure strings.

PS C:\WINDOWS\system32> $passwd = (Get-Content C:\Passwd.txt) | ConvertTo-SecureString

PS C:\WINDOWS\system32> $passwd

You can use this password in the credential parameter of the supported cmdlets.