poodle, dog, play

Storing PowerShell Credentials

May 24, 2021 By JeffTechs

I really enjoy a fully realized script with almost no required interaction. When working with on-premise or cloud accounts one of the things that can break the flow of a script is user credentials. While its not incredibly taxing to put the required username and password in each time, having PowerShell automatically import them feels pretty good. Not all methods of doing this are created equal. Importing from a text document is definitely a no-no. Anything plain-text is a big no-no. So far, this is the safest method I know of that is easy to setup.

Pull up PowerShell, and decide where you want to store your file. I am putting mine on the desktop because this is a lab environment. Try to put your file somewhere less visible. The command will be:

Get-Credential | Export-Clixml -Path C:\Users\path\to\file.cred

The break down of this is pretty straightforward. We’re running the standard Get-Credentials command, then piping it to Export-Clixml then the path. Make sure to name the file and append it .cred. The command won’t do that automatically.

If you double click the file after its created, you can see that the username is visible, but the password is not.

 

If you are already thinking, “Is that Base64?” The answer is no, but you definitely are thinking security. Export-Clixml uses Windows Data Protection API; meaning, your credentials are encrypted on a Windows machine. Sidenote: if this command is run on Mac or Linux (PowerShell Core), it doesn’t encrypt the password, it only obfuscates a plain-text file as Unicode character array.

So let’s see where the cracks are for security purposes. Import the .cred file back into your shell

Now print the variable and look at the output.

Even if you run $creds.password, it still won’t show the password. Pro Tip: You can see the methods and properties by passing $creds | gm.

If someone were able to copy this file and place it under a different user’s profile, they would not be able to import the file into a shell. They can open the file in a text editor, but they still cannot see the password. If they attempt to import the file into PowerShell, they will get this error.

This also applies to administrator accounts.

There’s only one way I’ve been able to view the password. If you are on the Owner/Creators profile, import the file into powershell and run this command.

$creds.getnetworkcredential().Password

This will show the password in plain-text in the shell.

Since you can only import the file into the Owner/Creator’s shell session, this is pretty decent security out-of-the-box. There’s another way to lock it down even further with Protect-CmsMessage and a certificate, but this article won’t go into that approach.

Thanks for reading and Happy Scripting.