Link to home
Start Free TrialLog in
Avatar of whorsfall
whorsfallFlag for Australia

asked on

Powershell specifiy a literal "encrypted standard string"?

Hi,

How can I use powershell and manually define a "encrypted standard string" directly without having to read it from a file
then convert it to a secure string.

See my example Method 1 works but I can't get Method 2 to work.

Any suggestions - as I would like to use a secure string in a script without reading it from file or prompting the user.
So just specify the long sequence of characters.

Thanks,

Ward

# Method 1 - this works.

$pw = ConvertTo-SecureString 'hello' –asplaintext –force 

$data1 = $pw | ConvertFrom-SecureString 

$data1 | Out-File -FilePath ".\pw.txt" -Force

$file_data = Get-Content ".\pw.txt" | ConvertTo-SecureString

$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($file_data)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) 


"Password:  $PlainPassword"
""
$data1

# Method 2 - use literal text

$data2 = @"
01000000d08c9ddf0115d1118c7a00c04fc297eb010000006060907f48c4004f9e68712619c245c6000000000200000000001066000000010000200000006be4552c3584b727a58b044097670bda284c5aac7f
5db1b06d1e3629776a343e000000000e80000000020000200000006b178fa1c6f34251470d87887dd05f16d6d78ccd6be97f758a9fcca28177bf9610000000ca823ec7d654009b5640553b99e614eb40000000
f86406ac343fb8a9f016e516490cc59d441af7bc760ddc19a74779275a8da347909c3df7e3a67304aa50a5a5ae71dc11cfae42ed21a7f50a54b309a2106b0ef0
"@

$file_data = $data2 | ConvertTo-SecureString 

$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($file_data)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) 

"Password:  $PlainPassword"

Open in new window


Here is the error I get when I try to run it.

PS C:\Users\Ward> C:\Users\Ward\OneDrive\Documents\test1.ps1
Password:  hello

01000000d08c9ddf0115d1118c7a00c04fc297eb010000006060907f48c4004f9e68712619c245c60000000002000000000010660000000100002000000028762f90fd2d364b89b516059c4da6945a31a28b71
9b9ae147b0c5b630df58e7000000000e800000000200002000000051f7b457600ebce6976fbda0dc030f142cf625cf08284a979f1b2b70a4d4fd8f1000000098ed9798da734098fa4fc6312656e4f440000000
c0b0909bd09f4829bea7b5d64aa1def84a3fc34c512a4ec730c35d9150458d18403f1e04b22d13e02340aeeb7e4f4737d125eda2285e1b871d79841cd4af42ad
ConvertTo-SecureString : Input string was not in a correct format.
At C:\Users\Ward\OneDrive\Documents\test1.ps1:27 char:23
+ $file_data = $data2 | ConvertTo-SecureString
+                       ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [ConvertTo-SecureString], FormatException
    + FullyQualifiedErrorId : System.FormatException,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand
Avatar of oBdA
oBdA

Well - this problem results from the here-string containing line breaks, so you need to remove these first before converting the string:
$file_data = $data2.Replace("`r`n", "") | ConvertTo-SecureString 

Open in new window

But then your next problem will probably come up,
A secure string will only be valid for the user who created it, AND on the machine where the string was created.
In other words: as soon as you try to run the script with the embedded password either with another user or on another computer, you'll get ConvertTo-SecureString : Key not valid for use in specified state.
Avatar of whorsfall

ASKER

Hi,

So now if I run this code below it will fail on a different machine? Even though it seems to work ok now?

Thanks,
Ward,

$data2 = @"
01000000d08c9ddf0115d1118c7a00c04fc297eb010000006060907f48c4004f9e68712619c245c6000000000200000000001066000000010000200000006be4552c3584b727a58b044097670bda284c5aac7f
5db1b06d1e3629776a343e000000000e80000000020000200000006b178fa1c6f34251470d87887dd05f16d6d78ccd6be97f758a9fcca28177bf9610000000ca823ec7d654009b5640553b99e614eb40000000
f86406ac343fb8a9f016e516490cc59d441af7bc760ddc19a74779275a8da347909c3df7e3a67304aa50a5a5ae71dc11cfae42ed21a7f50a54b309a2106b0ef0
"@

$file_data = $data2.Replace("`r`n", "") | ConvertTo-SecureString 

$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($file_data)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) 

"Password:  $PlainPassword"

Open in new window

Yep. Check yourself; here are the first 64 characters from an encoded "hello".
Line 1: Your "hello"
Line 2: My "hello", machine 1, account 1
Line 3: My "hello", machine 1, account 2
Line 4: My "hello", machine 2, account 1
Differences start in column 49:
01000000d08c9ddf0115d1118c7a00c04fc297eb010000006060907f48c4004f
01000000d08c9ddf0115d1118c7a00c04fc297eb0100000005f5ca1d26d1d745
01000000d08c9ddf0115d1118c7a00c04fc297eb010000008da7ed0b833a6147
01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e725ac7e967604f

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial