Reputation: 145
Understanding Powershell SecureStrings
today, I wanted to dig deeply into the concept of SecureString .NET and Powershell, yet I don't think, I am understanding it very well.
If I have a password and convert it to a securestring. Is it saved as I entered it? (Being both encrypted or plain text).
Now if I would pass the password as a part of a PSCredential to a PSSession: what would happen? Does PSSession run ConvertFrom-SecureString on the passed password? But then the password is being encrypted again. How does it know how to pass it to a PSSesion?
Upvotes: 2
Views: 3426
Answers (1)
Reputation: 10019
I don't fully understand your question but get the jist. This will probably be easier if you think in terms of object types (some explanation). [This link is now dead.]
"If I have a password and convert it to a securestring. Is it saved as I entered it? (Being both encrypted or plain text)"
- Your password will be plain text, and have the type
[String]. This is not encrypted. - The SecureString has the type
[System.Security.SecureString]. It is encrypted. - This encryption happens in memory whenever you create the
SecureString. - It's important to note that a key is required to decrypt the
SecureString(more on that below)
Approach 1
This creates an encrypted SecureString variable called $SecurePassword. The unencrypted password does not make it to memory.
$SecurePassword = Read-Host -Prompt "Enter password" -AsSecureString
Approach 2
This creates an unencrypted String variable $PlainPassword, then a SecureString variable.
$PlainPassword = Read-Host -Prompt "Enter password"
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
"Now if I would pass the password as a part of a PSCredential to a PSSession: what would happen?"
- PSSession does not accept unencrypted passwords. To simplify you can either provide a
Userand be prompted for a password, or pass an object that has the typePSCredential- i.e. it is expecting a secure password. - When you a pass a
PSCredential, it is already encrypted with the password as aSecureString. - But the PSSession needs to decrypt it (this part I am not sure on but assume... how else can it varify it?)
- To decrypt the
SecureString, the key is required. The key is normally generated and as long as both machines have the same security principle, the PSSession can complete the decryption (this part I'm sure of) - This post addresses how to create a key so that a
SecureStringcan be decrypted when there there are different principles.
Upvotes: 6
Related Questions
- Powershell TextBox SecureString
- Secure String Powershell
- Why does PowerShell reject my secure string and say it cannot convert it to a secure string?
- SecureString in file "randomly" stops working
- Get SecureString as a Plain Text Parameter
- PowerShell splatting SecureString is converted to String
- Retrieving password with secureString
- Security.SecureString parameter does not accept strings
- Decoding System.Security.SecureString
- I can't seem to pass a securestring to my cmdlet