Prof. Powershell

Securing Secure Strings

In PowerShell, there are a number of cmdlets that work with something called a secure string. When you create a saved credential object, the password is stored as a secure string.

• By Jeffery Hicks
• 02/26/2013

In PowerShell, there are a number of cmdlets that work with something called a secure string. When you create a saved credential object, the password is stored as a secure string.

PS C:\› $cred = Get-Credential MyCompany\Jeff
PS C:\› $cred

UserName                                                             Password
--------                                                             --------
MyCompany\Jeff                                   System.Security.SecureString
PS C:\› $cred.password
System.Security.SecureString

You can also create a secure string from a plain text string with the ConvertTo-SecureString cmdlet.

PS C:\› $secure = ConvertTo-SecureString -String "Secr3t$@v<e"  -AsPlainText -Force
PS C:\› $secure
System.Security.SecureString

The text in the secure string is encoded using a private key that exists on your computer. I'm trying to keep the explanation simple. This means that when a cmdlet tries to access the secure string, it can use the private key to decrypt it. The secure string, as I'm using it here, only exists in memory. As soon as your PowerShell session ends, it goes away.

While in your session, you can convert it back to a string using some .NET magic:

PS C:\› 
[System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::
SecureStringToBSTR($secure))
Secr3t$@v›e

This only works on your computer for as long as the variable exists. I'm showing you this so you can verify what I'm writing about.

It is possible to save this string and re-use it. But you must be aware that from a security perspective it is bad practice to record any sensitive information in a file. However, rules are meant to be bent, as long as you understand the implications.

The best approach is to export the string to an XML file.

PS C:\› $secure | Export-Clixml c:\work\secure.xml

Although you could also save just the encoded contents to a text file.

PS C:\› ConvertFrom-SecureString $secure | out-file c:\work\secure.txt

In a later PowerShell session on the same computer, you can import the data and recreate the secure string using either of these methods.

PS C:\› $ss = get-content C:\work\secure.txt | convertto-securestring
PS C:\› $ss = import-clixml C:\work\secure.xml

You could run into some version issues with the XML format if you are moving between PowerShell versions. But remember, you can only recreate the secure string on the same computer where you created it. If you try either of these techniques on a different computer you will most likely get errors about invalid keys. That is for your protection.

If you need secure strings, the best solution is to prompt for them:

PS C:\› $mysecure = read-host "Enter the secret word" -AsSecureString
Enter the secret word: *******
PS C:\› $mysecure

System.Security.SecureString

But if for some reason you have to commit the secure string to a file, you can retrieve it, but only on the machine where you created it.