Sign up for our newsletter.

I agree to this site's Privacy Policy.

Prof. Powershell

Securing Secure Strings

In PowerShell, there are a number of cmdlets that work with something called a secure string. When you create a saved credential object, the password is stored as a secure string.

In PowerShell, there are a number of cmdlets that work with something called a secure string. When you create a saved credential object, the password is stored as a secure string.

PS C:\› $cred = Get-Credential MyCompany\Jeff PS C:\› $cred UserName Password -------- -------- MyCompany\Jeff System.Security.SecureString PS C:\› $cred.password System.Security.SecureString

You can also create a secure string from a plain text string with the ConvertTo-SecureString cmdlet.

PS C:\› $secure = ConvertTo-SecureString -String "Secr3t$@v<e" -AsPlainText -Force
PS C:\› $secure

The text in the secure string is encoded using a private key that exists on your computer. I'm trying to keep the explanation simple. This means that when a cmdlet tries to access the secure string, it can use the private key to decrypt it. The secure string, as I'm using it here, only exists in memory. As soon as your PowerShell session ends, it goes away.

While in your session, you can convert it back to a string using some .NET magic:

PS C:\›

This only works on your computer for as long as the variable exists. I'm showing you this so you can verify what I'm writing about.

It is possible to save this string and re-use it. But you must be aware that from a security perspective it is bad practice to record any sensitive information in a file. However, rules are meant to be bent, as long as you understand the implications.

The best approach is to export the string to an XML file.

PS C:\› $secure | Export-Clixml c:\work\secure.xml

Although you could also save just the encoded contents to a text file.

PS C:\› ConvertFrom-SecureString $secure | out-file c:\work\secure.txt

In a later PowerShell session on the same computer, you can import the data and recreate the secure string using either of these methods.

PS C:\› $ss = get-content C:\work\secure.txt | convertto-securestring
PS C:\› $ss = import-clixml C:\work\secure.xml

You could run into some version issues with the XML format if you are moving between PowerShell versions. But remember, you can only recreate the secure string on the same computer where you created it. If you try either of these techniques on a different computer you will most likely get errors about invalid keys. That is for your protection.

If you need secure strings, the best solution is to prompt for them:

PS C:\› $mysecure = read-host "Enter the secret word" -AsSecureString
Enter the secret word: ******* PS C:\› $mysecure

But if for some reason you have to commit the secure string to a file, you can retrieve it, but only on the machine where you created it.

About the Author

Jeffery Hicks is a Microsoft MVP in Windows PowerShell, Microsoft Certified Trainer and an IT veteran with over 20 years of experience, much of it spent as an IT consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant. Jeff writes the popular Prof. PowerShell column for and is a regular contributor to the Petri IT Knowledgebase and 4SysOps. If he isn't writing, then he's most likely recording training videos for companies like TrainSignal or hanging out in the forums at Jeff's latest books are Learn PowerShell 3 in a Month of Lunches, Learn PowerShell Toolmaking in a Month of Lunches and PowerShell in Depth: An Administrators Guide. You can keep up with Jeff at his blog, on Twitter at and on Google Plus (http:/

comments powered by Disqus

Reader Comments:

Sun, Apr 7, 2013 Jason Arlington

Jeffrey, I actually got into a discussion about this on the Scripting Guys forum the other day. If I export a secure string using a predefined key doesn't that allow me to encrypt the secure string and make it safe to leave on the network? Also If I set a particular predefined key does that allow me to reimport the string from any computer I want? The discussion was in reference to finding a way to change a local admin password on a number of computers in a particular domain.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above