chiffrer un mot de passe dans script PowerShell

Encrypt a password in a PowerShell script

I. Presentation

In this tutorial, we will learn how to encrypt a password in a PowerShell script using the SID of the user who will generate the secure string. This is one way, among others, of not writing the password in plain text in a script.

This encrypted password can then be used to perform various actions: authenticate with Microsoft 365, with Azure or to create an Active Directory account that uses this password (case of a default password that assigned to all new users.

In this article, I will use two essential commands when we handles secure character strings (SecureString) :

II. Encrypt Password with PowerShell

The objective is going to be to encrypt the password “MonSuperMotDePasse” so that we can use it in the script without it being visible in the clear. First, we create a secure string from our password which is plain text, which involves use option “-AsPlainText“.parameter”-Force” is required when using “-AsPlainText” unless using PowerShell 7+ (but it still works, as it’s still accepted for compatibility reasons).

$MotDePasse = "MonSuperMotDePasse"
$MotDePasse = ConvertTo-SecureString -String $MotDePasse -AsPlainText -Force

If we try to read the contents of this variable or look at its type ($MotDePasse.GetType()), we can see that it is a SecureString. It’s all good.


PowerShell - Encrypted password in a script

Next, we will retrieve the encrypted string in text form, but without revealing our super password:

$MotDePasse | ConvertFrom-SecureString

A value is returned in the console. For instance :

PowerShell - ConvertFrom-SecureString

This is the encrypted password: it is this value that we will use in the next part of this article.

III. Use encrypted password

Now, always from the same user account, we will use this password and we can also define a user name. The variable $User contains the username, while the variable $PwdUser contains the password as a SecureString. We use ConvertTo-SecureString without the “-AsPlainText” parameter, because here it is not a raw text but an already encrypted string that we want to store in a SecureString.

Which gives (we reuse the previous value):

$Utilisateur = "[email protected]"
$UtilisateurMdp = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006c76e757249edf429fc0ee5c2acb5b710000000002000000000010660..... | ConvertTo-SecureString

Then, we can verify that $PwdUser is indeed a SecureString.

PowerShell - Use encrypted password

All that remains is to use it in our script!

For example, we can create a user in the Active Directory who will inherit this password:

New-ADUser -Name "TestMdp" -AccountPassword $UtilisateurMdp

In the same spirit, to authenticate on Azure AD, on Microsoft Teams, etc.

$Creds = New-Object System.Management.Automation.PSCredential($Utilisateur,$UtilisateurMdp)
Connect-AzureAD -Credential $Creds
Connect-MicrosoftTeams -Credential $Creds

All this to show that we can use the SecureString to define a password when creating an account or as a password when authenticating on a service.

IV. Conclusion

Thanks to this method, you are able to store an encrypted password in a PowerShell script using a SecureString and without it being visible in the clear in the code! You should know that the encrypted string that we generated in this practice is linked to the user and to the computer, so you will have to think about generating it on the target environment directly to avoid malfunctions (and bad surprises). For it to be “portable”, it would be necessary to rely on an external key such as an AES key, for example.

If you are interested in the topic of encryption with PowerShell, I recommend that you take a look at the PowerShell command “Protect-CmsMessage” (associated with a method based on asymmetric cryptography).


#Encrypt #password #PowerShell #script

Leave a Comment

Your email address will not be published. Required fields are marked *