2

Issue is while running power shell scripts vcenter passwords is capturing in event logs.

So I am trying yo encrypt before we call vcenter.

I am able to encrypt the password using below

$Pass = "P@ssword1" | ConvertTo-SecureString -AsPlainText -Force

When I run with encrypted password as below

Connect-VIServer -Server $serverName -User $userName -Password $pass

It's not taking encrypted password getting error..

I also tried

$Pass = "P@ssword1" | ConvertFrom-SecureString

Even long encrypted data generated not able to pass as password to vcenter

Can you please help how to pass encrypted password to v center

harper
  • 13,345
  • 8
  • 56
  • 105
Neha Jain
  • 21
  • 3

2 Answers2

1
function getCred($role,$credPath){
$credMassiv = @()
$array = "" | Select user, Encrypted, role
    if (!(Test-Path "$credPath\cred.csv")){ $cred = setCred $role $credPath }

    if (Test-Path "$credPath\cred.csv"){
        $credMassiv = Import-Csv -Delimiter ";" -Path "$credPath\cred.csv"

        $user = $credMassiv |Where-Object {$_.role -eq $role} |Select-Object -Expand user
        $pwd = $credMassiv |Where-Object {$_.role -eq $role} |Select-Object -Expand Encrypted | ConvertTo-SecureString
        
        if ([string]::IsNullOrEmpty($pwd)){$cred = setCred $role $credPath}
        else {$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $pwd}
    }
    

$cred
}

function setCred($role,$credPath){
    $credMassiv = @()
    if (Test-Path "$credPath\cred.csv"){$credMassiv = @(Import-Csv -Delimiter ";" -Path "$credPath\cred.csv")}
    else {$credMassiv = @()}
    $array = "" | Select user, Encrypted, role
    $array.user = read-host "user for $role"
    $pwd = read-host "password:" -AsSecureString
    $array.Encrypted = ConvertFrom-SecureString -SecureString $pwd
    $array.role = $role
    $cred = New-Object System.Management.Automation.PSCredential -ArgumentList $array.user, $pwd
    $credMassiv += $array
    $credMassiv |Export-Csv -Delimiter ";" -Encoding UTF8 -Path "$credPath\cred.csv"


    $cred
}
$cred = getCred vcenter $PSScriptRoot
Connect-VIServer -Server $serverName -Credential $cred

remember, you don't know the encryption key, it is stored in the profile of the current user

rinat gadeev
  • 114
  • 4
  • In above code as device IP that is vcenter IP is not used...what if I have same username and password for multiple vcenters ??? – Neha Jain Mar 03 '23 at 05:30
  • @NehaJain $serverName = "192.168.1.1"; $serverName2 ="192.168.1.2"; Connect-VIServer -Server $serverName -Credential $cred; ... Disconnect-VIServer $serverName ... Connect-VIServer -Server $serverName2 -Credential $cred – rinat gadeev Mar 04 '23 at 07:08
  • Issue still exists....after running the code....in windows event logs....I can see my password in a log called convertfrom secure string. In this log, password is stored – Neha Jain Mar 06 '23 at 09:50
  • Password should not be stored in any of the windows event logs – Neha Jain Mar 06 '23 at 09:51
  • please help here – Neha Jain Mar 06 '23 at 10:00
  • @NehaJain I can't find it, add the path and/or screenshots – rinat gadeev Mar 06 '23 at 11:28
  • CommandInvocation(ConvertTo-SecureString): "ConvertTo-SecureString " ParamterBinding(ConvertTo-SecureString): name = "AsPlainText "; value = "True" ParameterBinding(ConvertTo-SecureString): name="String"; value="Pasa@123" – Neha Jain Mar 06 '23 at 12:07
  • Above limes are captured in event viewer. "Pasa@123" is my vcenter original password before encryption. Path is Applications and Services\Microsoft \Windows\Powershell \operational event log is 4103 – Neha Jain Mar 06 '23 at 12:18
  • looks like usage of convertTo-SecureString is creating volunarabilty of password showcase in event logs.. Is there any other way of encrypting password before we call vcenter server. – Neha Jain Mar 07 '23 at 03:53
  • https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/debug-customscriptextension-runcommand-scripts – rinat gadeev Mar 07 '23 at 03:59
  • not logging off or script block...Just iam trying to find other ways of encryption of password In powershell. Iam unable yo get that – Neha Jain Mar 07 '23 at 04:09
  • Tried few encryption techniques like convertTosecureString ,ConvertFrom-SecureString and pscredential. In all these scenarios iam able to see my plaintext password in event log. Even though encrypted string or pscrential is passed as password to vcenter method call – Neha Jain Mar 07 '23 at 05:40
  • I don't have an event with code 4103, apparently my logging level is lower than yours – rinat gadeev Mar 07 '23 at 07:09
  • May be it is logging with another event code.. just try export complete log to csv. Search with vcenter cleartext password in excel, you will get password in excel – Neha Jain Mar 07 '23 at 07:20
  • https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/debug-customscriptextension-runcommand-scripts#understand-the-output https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/debug-customscriptextension-runcommand-scripts#turn-off-logging-of-powershell-script-execution – rinat gadeev Mar 07 '23 at 08:25
  • Above link is not useful – Neha Jain Mar 07 '23 at 08:41
  • what is the problem with Disabling PowerShell script execution logging? – rinat gadeev Mar 07 '23 at 09:59
  • I have tried disabling but still logging is happening. https://stackoverflow.com/questions/75692355/powershell-logging-is-not-diasabling-in-event-viewer-even-though-block-and-off-t – Neha Jain Mar 10 '23 at 06:16
  • enable powershell script blocking in registry as well as in local computer policy. Then you will be able to see 4103 log. And then issue will be reproduced – Neha Jain Mar 17 '23 at 13:02
1

Why do you expect that Connect-VIServer accepts a encrypted password?

It does accept a credential which includes a username and a (encrypted) password:

$Credentials = Get-Credential

See also: Using PowerShell credentials without being prompted for a password

⚠️ in the interest of security, try to avoid using hardcoded authentication in a script (as anybody can reuse that), instead authenticate the user (account) that runs the script.

Connect-VIServer -Server $serverName -Credential $Credential
iRon
  • 20,463
  • 10
  • 53
  • 79