In my last post, I made use of a script that sets a secret value. The script needs to run at each system start, so it needs to be stored on the server. However, I don't want to (and never should!) store actual secrets in plain text files. Scripts tend to get stored in backups, source control or sent around via email.

Don't write something in an email you wouldn't also put on the front page of the New York Times.

You don't want your passwords on the front page of the New York Times.

There's a commandlet for working with SecureStrings in PowerShell. It's using local user account and machine information to encrypt and decrypt string values, so you manually create an "encrypted" string, store that in a script and it only ever works for a specific user account / hardware combination. It's secure as long as someone doesn't have full access to the computer the script is running on. If someone has that kind of access, you're busted anyway...

How do you do it?

Easy! Invoke the following script with your secret as parameter, e.g. like this from the commandline:

C:\Scripts>powershell .\ConvertPasswordToSecureString.ps1 P4$$w0rd

It'll print a long string to the console. That's the one that's safe to store. You can put it in any script you want and retrieve it like this:

$sharedSecret is the decrypted string value. In the example, I'm using it to set my VPNs Pre Shared Secret at system startup.

Happy storing!