0

I'm trying to get a SecureString as plain text parameter to a command line PowerShell.

I know what is the form of the secure string. For example, the string "abc" would be a Secure String of "71289371289".

Then, I want to pass "71289371289" as a parameter to the script (Running it from command line), that would be my Secure String and then Decrypt it to a clear text to pass it to another program i'm calling from Powershell.

How would I do something like this?

Update:

I ended up using Credfile with PSCredential to persist the credentials across reboots until the script is complete.

Avishay Bar
  • 783
  • 1
  • 7
  • 12
  • 3
    Is it required to be a SecureString? You may find a PSCredential object more simple to use and extract the plain text password from especially in a function. – Persistent13 Jan 25 '19 at 18:00
  • Possible duplicate of [Convert a secure string to plain text](https://stackoverflow.com/questions/28352141/convert-a-secure-string-to-plain-text) –  Jan 25 '19 at 19:45
  • @Persistent13 it is required to be a SecureString. I'd like to have 2 Scenarios: 1. User provides the ClearText Secure-String as a parameter to the PS. 2. User getting prompted for the Username and Password if he didn't provide them on command line to the PS. – Avishay Bar Jan 25 '19 at 22:33
  • A Secure-String is an encrypted object, not a string. You can convert back and forth between a Secure-String and a clear text string, but a user can't enter a Secure-String directly. You should create a new question for scenario 2. – Rich Moss Jan 26 '19 at 00:07

1 Answers1

3

You can convert it back to a clear text password with SecureStringToBSTR: 

Param(
    $securestring = (Read-Host -AsSecureString)
)
Write-Host "Encrypted Password: $(ConvertFrom-SecureString $securestring)"
$ClearText = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securestring))
Write-Host "Original Password: $ClearText"
Rich Moss
  • 2,195
  • 1
  • 13
  • 18
  • My problem here is that the input needs to be masked – Avishay Bar Jan 25 '19 at 20:24
  • `Read-Host -AsSecureString` will mask the input as you are entering it. – Rich Moss Jan 25 '19 at 22:57
  • Is this still going to be a Parameter you can call with -Parameter while running command line? because it seems to undo the masking. – Avishay Bar Jan 25 '19 at 23:15
  • If you added the code above to a Powershell script named DecryptPassword.ps1, you would call it with commands like this: `$Encrypted = (ConvertTo-SecureString "01000000d08c9ddf0115d1118c7a00c04fc2[shortened for posting]....")` `.\DecryptPassword.ps1 -securestring $Encrypted` If you don't provide the -securestring parameter you'll be prompted to enter it (clear text, not encrypted), and it will be masked as you enter the characters. – Rich Moss Jan 25 '19 at 23:56
  • That's a progress. Would it be possible to use this on a scheduled task that is needed to run this ps1 with the secure string parameter? – Avishay Bar Jan 26 '19 at 07:58
  • Yes, it is possible to add the parameter to a scheduled task but it's not secure. It's very easy to get the clear text password from the encrypted one. It would be better to store the credentials in the scheduled task. Please create a new question for configuring the scheduled task. – Rich Moss Jan 28 '19 at 15:53
  • Hey Rick, I ended up using a cred file to persist across reboots. Thanks for all the help – Avishay Bar Jan 29 '19 at 16:11