This example uses SecureString with SecureKey. This technique is useful when Key is required to be saved as a non-readable string in a file.
Note, the use of “(1..16)” keyword. This is required to encrypt the key such a way that it can be decrypted by any user on any machine as long as the secure key is accessible. (1..16) Gives a byte array containing numbers 1 to 16, instead of (1..16) any constant key also can be used, which in turn also can be sourced from a file. I don’t want to go into encrypting the key for the secure key as this would mean recursion of the same logic and have the same problem of unable to decrypt by different user or different machine. As I understand at the top level a static/constant key is required.
For security, Secure Key can be stored in a file share which is accessible to specific user/group.
Steps:
1. Generate key (encrypted) then encrypt password and save both encrypted key password
$key = "1234567891234567" $plainPassword = "securekey-textpassword" $securePassword = ConvertTo-SecureString $PlainPassword -AsPlainText -Force $secureKey = ConvertTo-SecureString $Key -AsPlainText -Force $encryptedKey = ConvertFrom-SecureString $SecureKey -Key(1..16) $encryptedPassword = ConvertFrom-SecureString $SecurePassword -SecureKey $secureKey</pre> <pre>$encryptedKey | Out-File "C:\temp\securekey-enckey.txt" $encryptedPassword | Out-File "C:\temp\securekey-encpass.txt" Write-Host "Key: $Key" Write-Host "Text Password: $textPassword" Write-Host "Encrypted Password: $encryptedPassword" Write-Host "Encrypted Key: $encryptedKey"
2. Retrieve and decrypt password (using secure key)
$encryptedKeyFromFile = Get-Content "C:\temp\securekey-enckey.txt" $encryptedPasswordFromFile = Get-Content "C:\temp\securekey-encpass.txt" $secureDecryptedKey = ConvertTo-SecureString $encryptedKeyFromFile -Key(1..16) $secureDecryptedPassword = ConvertTo-SecureString $encryptedPasswordFromFile -SecureKey $secureDecryptedKey $BSTR1 = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureDecryptedPassword) $textPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR1) $BSTR2 = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureDecryptedKey) $key = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR2) Write-Host "Key: $key" Write-Host "Text Password: $textPassword" Write-Host "Encrypted Password: $encryptedPasswordFromFile" Write-Host "Encrypted Key: $encryptedKeyFromFile"