I don't fully understand your question but get the jist. This will probably be easier if you think in terms of object types (some explanation). [This link is now dead.]
"If I have a password and convert it to a securestring. Is it saved as
I entered it? (Being both encrypted or plain text)"
- Your password will be plain text, and have the type
[String]. This is not encrypted.
- The SecureString has the type
[System.Security.SecureString]. It is encrypted.
- This encryption happens in memory whenever you create the
SecureString.
- It's important to note that a key is required to decrypt the
SecureString (more on that below)
Approach 1
This creates an encrypted SecureString variable called $SecurePassword. The unencrypted password does not make it to memory.
$SecurePassword = Read-Host -Prompt "Enter password" -AsSecureString
Approach 2
This creates an unencrypted String variable $PlainPassword, then a SecureString variable.
$PlainPassword = Read-Host -Prompt "Enter password"
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
"Now if I would pass the password as a part of a PSCredential to a PSSession: what would happen?"
- PSSession does not accept unencrypted passwords. To simplify you can either provide a
User and be prompted for a password, or pass an object that has the type PSCredential - i.e. it is expecting a secure password.
- When you a pass a
PSCredential, it is already encrypted with the password as a SecureString.
- But the PSSession needs to decrypt it (this part I am not sure on but assume... how else can it varify it?)
- To decrypt the
SecureString, the key is required. The key is normally generated and as long as both machines have the same security principle, the PSSession can complete the decryption (this part I'm sure of)
- This post addresses how to create a key so that a
SecureString can be decrypted when there there are different principles.
