PowerShell Snippet: Store Login Information Secure in PowerShell using Windows Security API

Today I want to show you a small PowerShell snippet that I created for a webinar for AvePoint. It’s a webinar in German language about the DocAve module “Content Manager”.

The snippet will show you how to store a encrypted password in a plain text file.

Therefore I use some Windows OS APIs that are accessible in .NET:

http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.protect(v=vs.110).aspx

This encapsulates the “Data Protection API” of Windows: http://msdn.microsoft.com/en-us/library/ms995355.aspx

With the methods of this class you are able to encrypt and decrypt data very easily, either in the context of the current user or in the context of the local machine.

The encrypted data can only be decrypted on the same machine in the same context as where they were encrypted.

Very easy and handy. It is  NOT EASY BUT POSSIBLE to decrypt it on another machine. Just read the article mentioned above, especially the section “DPAPI Security” (http://msdn.microsoft.com/en-us/library/ms995355.aspx#windataprotection-dpapi_topic04).

It is DocAve specific but of course you can modify it for your own purpose.

Here is the Script:

<##
  Created by Ingo Karstein 
    https://blog.kenaro.com
##>

#Load Modules and Assemblies
Import-Module-Name "C:\program files\AvePoint\DocAve6\Shell\DocAveModules\DocAveModule" -DisableNameChecking
[System.Reflection.Assembly]::LoadWithPartialName("System.Security") | Out-Null

#Current folder of script
$path = Split-Path $MyInvocation.MyCommand.Path

#Config values
$docavemanageruser = "admin"
$docavemanagerserver = "kcdevsqlexch1"
$docavemanagerport = 14000

#Read password from file or get it from user and store it into a file
if( [string]::IsNullOrEmpty($docavepwd) ) {
  if( Test-Path "$($path)\pwd.txt" ) {
     $data= [System.Convert]::FromBase64String((Get-Content "$($path)\pwd.txt" -Encoding UTF8))
     $global:docavepwd = [System.Text.Encoding]::UTF8.GetString([System.Security.Cryptography.ProtectedData]::Unprotect($data, (123,54,67,89,12,32,146), "CurrentUser"))
  } else {
     $global:docavepwd = Read-Host "Enter AvePoint ""$($docavemanageruser)"" password"
     $data= [System.Security.Cryptography.ProtectedData]::Protect( ([System.Text.Encoding]::UTF8.GetBytes($docavepwd)) ,(123,54,67,89,12,32,146), "CurrentUser")

     [System.Convert]::ToBase64String($data) | Set-Content "$($path)\pwd.txt" -Encoding UTF8 -Force
  }
}

#exit if no password
if( [string]::IsNullOrEmpty($docavepwd) ) {
  exit
}

$success=$false
#check if already logged in into DocAve
try {
  $success= (Get-DALocalUser -ErrorAction 0) -ne $null 
  if( !$? ) {
    $success=$false
  }
} catch {
  $success=$false
}

#If not already logged in: Login using credentials
if( !$success ) {
  $cred = New-Object System.Management.Automation.PSCredential( $docavemanageruser, (ConvertTo-SecureString -Force -AsPlainText $docavepwd))
  Login-DAManager -ControlHost $docavemanagerserver -ControlPort $docavemanagerport -Credential $cred
  if( $? -eq $false ) {
    exit
  }
}

Leave a Reply

Your email address will not be published. Required fields are marked *