PowerShell: Keeping Secrets for Batch Scripts

As a system administrator, I write a lot of utility scripts, and I love using PowerShell. However, I cannot always use the local scheduler with a service account to run a script, sometimes I have to provide a username and password to an application or service. I hate storing them in plaintext, and while I don't fully like storing the encrypted text, key, and IV in the script, it is one step better than the plaintext solution. While the ultimate solution would be to have it stored as part of the user profile for the job, this is an issue when I don't have direct access to the production system to be able to run as the service account and I just need an encrypted file / text to later decrypt and use.

So, I started working with ConvertTo/From-SecureString and hit a little problem. I discovered, via Reflector, that the ConvertTo-SecureString and ConvertFrom-SecureString use an IV that is specific to that instance of the PowerShell runtime. Thus, using it at a later time is no good for me. So, long story short, I cranked up Reflector, took a look at the commands, and created a script version that does exactly what I need.

You will find the script attached.


1 Comment

Comments have been disabled for this content.