1

I would like to encrypt a password in PowerShell

I tried this :

In CLI :

Read-Host -prompt "Password ?" -AsSecureString | ConvertFrom-SecureString | out-file "D:\root.pwd"

In my script.ps1 :

$pwsNAS = Get-Content "D:\root.pwd" | ConvertTo-SecureString
plink.exe root@192.168.x.y -pw $pwdNAS df

But it doesn't work...

I tried with credentials, but it doesn't seems to be better...

(My password doesn't have any space or accented character)

Any idea?

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
jgoup
  • 115
  • 1
  • 2
  • 7
  • 1
    Why do you want to hand over an 'encrypted' password to plink? Isn't plink part of the putty ssh client implementation? Been about 10 years since I last used MS windows, but I think I recall that the `-pw` option accepts a password, not an encrypted password. – arkascha Feb 11 '13 at 22:27
  • This script for a personal use, will be in differents computers for all my family, I don't want them to know my NAS' password if the open the script.ps1... PS: I know that the computer and the user has to be the same for the encryption/decryption, I will do the process on each computer/user I don't know if I do it well. In fact I want to use `plink.exe root@192.168.x.y -pw $pwdNAS df` in a powershell script without my visible password... – jgoup Feb 11 '13 at 22:36
  • Sorry, but trying to protect your credentials that way won't work. What you are doing is obfuscation, not encryption. – arkascha Feb 11 '13 at 22:47
  • Yeah, sorry for this, finally, it is obfuscation that I want to do... – jgoup Feb 11 '13 at 22:52
  • Obviously it is a wrong approach to ry to protect a password this way. Think about using keys for this purpose instead of passwords. Use a different key for each system/user/curtomer. This way your password does not get compromised. And don't use the `root` accout with remote access, actually you are stongly advised to disable root login via ssh. – arkascha Feb 11 '13 at 23:49

3 Answers3

1

Of course it doesn't work. plink expects a (cleartext) password for the -pw option, not a SecureString object. If you want to avoid cleartext passwords in your scripts: use public key authentication. If you don't want other people to know your password (or key): give them their own account and password/key.

Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
0

For connecting via ssh you're far better off using a key, generated by PuttyGen or another key generation tool like that.

However, there is a way to convert secure strings into plaintext strings, detailed here. Be aware that: a) it will only work if the same user account both encrypts and decrypts the secure string, and b) it's not hugely secure.

theclintox
  • 1
0

For decryption, see PowerShell - Decode System.Security.SecureString to readable password:

$securePass = Get-Content C:\encrypted_password1.txt
$pass = $securePass | ConvertTo-SecureString

$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($pass)
$decrypted = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
plink ... -pw $decrypted

Though as suggested by the other answers, you better use public key authentication.

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992