Safe Storage of Strings in PowerShell Scripts

Georg Dangl by Georg Dangl in Windows Server Thursday, April 27, 2017

Thursday, April 27, 2017

In my last post, I made use of a script that sets a secret value. The script needs to run at each system start, so it needs to be stored on the server. However, I don't want to (and never should!) store actual secrets in plain text files. Scripts tend to get stored in backups, source control or sent around via email.

Don't write something in an email you wouldn't also put on the front page of the New York Times.

You don't want your passwords on the front page of the New York Times.

There's a commandlet for working with SecureStrings in PowerShell. It's using local user account and machine information to encrypt and decrypt string values, so you manually create an "encrypted" string, store that in a script and it only ever works for a specific user account / hardware combination. It's secure as long as someone doesn't have full access to the computer the script is running on. If someone has that kind of access, you're busted anyway...

How do you do it?

Easy! Invoke the following script with your secret as parameter, e.g. like this from the commandline:

C:\Scripts>powershell .\ConvertPasswordToSecureString.ps1 P4$$w0rd

It'll print a long string to the console. That's the one that's safe to store. You can put it in any script you want and retrieve it like this:

$sharedSecret is the decrypted string value. In the example, I'm using it to set my VPNs Pre Shared Secret at system startup.


Happy storing!

Share this post

comments powered by Disqus

About me

Hi, my name's George! I love coding and blogging about it. I focus on all things around .Net, Web Development and DevOps.


Need a consultant for BIM, GAEB or Software Development?

Contact me at [email protected], +49 (173) 56 45 689 or visit my professional page!

// Just 💗 Coding

Social Links