Easy Stored Credentials

Posted
Comments None

This will be a quicky. If you want to save credentials for a PowerShell script, there are several methods you can use, but the one I prefer is to simply save a [System.Management.Automation.PSCredential] object using Export-CLIXML. This only works in PS version 3.0 and later. Toward the end I’ll detail a legacy PowerShell method.

First, open a PS Console session using the context that will be running the script. That means you are logging in as the account, on the system, where the credentials will be called. If you run it on AppSrv01 as AppSvc01, then log into AppSrv01 and right-click PowerShell and run it as AppSvc01.

In the console window, save the credential object, then export as CLI XML. (you’ll have to enter the user name and password after entering Get-Credential)

$Credential = Get-Credential
$Credential | Export-CLIXML [path-to-xml-file]

Piece of cake. Now, to recall that credential object, simply run

$Credential = Import-CLIXML [path-to-xml-file]

As long as the same account/computer is used to recall the credential object as the account that created it, you have a simple method for secure credential storage and retrieval. Now, if you only have access to PowerShell 2 (soon to be deprecated), you might be aware that Import-CLIXML/Export/CLIXML aren’t available. There are several methods for getting around this, but the method I prefer is systematic and straightforward.

$Credential = Get-Credential
$Credential.Password | ConvertFrom-SecureString | Set-Content [path-to-encrypted-password-file]

Note that for convenience, I prefer to save the encrypted password as the username.pass. So, in the example above, the filename would be “AppSvc01.pass”. To retrieve the password:

$Credential = New-Object System.Management.Automation.PSCredential [username],(Get-Content [path-to-encrypted-password-file] | ConvertTo-SecureString)

See? That’s all pretty straightforward and makes it pretty trivial to, at the very least, keep from storing your credentials in plain text. That said, here’s one final helpful/cautionary note about PSCredential objects. The password of a credential object in memory is trivially converted to plaintext, which means it is exactly as secure as the context under which it is stored.

$Credential.GetNetworkCredential().Password

Author

Comments

There are currently no comments on this article.

Comment

Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.





← Older Newer →