Password encryption using SecureString for plink.exe command

Question

I would like to encrypt a password in PowerShell

I tried this :

In CLI :

Read-Host -prompt "Password ?" -AsSecureString | ConvertFrom-SecureString | out-file "D:\root.pwd"

In my script.ps1 :

$pwsNAS = Get-Content "D:\root.pwd" | ConvertTo-SecureString
plink.exe root@192.168.x.y -pw $pwdNAS df

But it doesn't work...

I tried with credentials, but it doesn't seems to be better...

(My password doesn't have any space or accented character)

Any idea?

Answer 1

For decryption, see PowerShell - Decode System.Security.SecureString to readable password:

$securePass = Get-Content C:\encrypted_password1.txt
$pass = $securePass | ConvertTo-SecureString

$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($pass)
$decrypted = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
plink ... -pw $decrypted 

---

Though as suggested by the other answers, you better use public key authentication.

Answer 2

For connecting via ssh you're far better off using a key, generated by PuttyGen or another key generation tool like that.

However, there is a way to convert secure strings into plaintext strings, detailed here. Be aware that: a) it will only work if the same user account both encrypts and decrypts the secure string, and b) it's not hugely secure.

Answer 3

Of course it doesn't work. plink expects a (cleartext) password for the -pw option, not a SecureString object. If you want to avoid cleartext passwords in your scripts: use public key authentication. If you don't want other people to know your password (or key): give them their own account and password/key.