https://github.com/bitsofinfo/powershell-credential-encryption-tools

Set of small tools for managing AES encrypted credentials for powershell scripts
https://github.com/bitsofinfo/powershell-credential-encryption-tools

credentials encryption passwords powershell security-tools

Last synced: 4 months ago
JSON representation

Set of small tools for managing AES encrypted credentials for powershell scripts

• Host: GitHub
• URL: https://github.com/bitsofinfo/powershell-credential-encryption-tools
• Owner: bitsofinfo
• Created: 2015-01-15T23:06:06.000Z (about 10 years ago)
• Default Branch: master
• Last Pushed: 2015-01-20T16:03:09.000Z (about 10 years ago)
• Last Synced: 2023-03-24T07:19:41.627Z (almost 2 years ago)
• Topics: credentials, encryption, passwords, powershell, security-tools
• Language: PowerShell
• Homepage: https://bitsofinfo.wordpress.com/2015/01/20/encrypting-and-storing-powershell-credentials/
• Size: 465 KB
• Stars: 18
• Watchers: 5
• Forks: 4
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# powershell-credential-encryption-tools

### credentialEncryptor.ps1 and decryptUtil.ps1

**Simple script for AES encrypting a set of portable credentials**

**INFO:**  

```./credentialEncryptor.ps1 -k [pathToKeyFile] -o [pathToCredFile] [-validate $true | $false]```

**decryptUtil.ps1** - is a script intended to be included in your powershell scripts where you need to load the credentials you stored offline. This script provides a set of functions to do this.

**credentialEncryptor USAGE**

* Prompts for a username/password to encrypt

* If the keyFile specified via "-k" does NOT pre-exist, a new one will be generated 256bit using a secure random byte generator. If it does pre-exist it will be used. This key is usded to encrypt (AES) the credentials and builds a JSON structure as follows

    ```{ "username" : "AESEncryptedValue", "password": "AESEncryptedValue" }```

* The resulting JSON is stored in local dir named: **encrypted.credentials** (unless -o is specified explicitly)

* If the key is newly generated; the secret key's bytes are Base64 encoded and stored in the local directory in a file named: **secret.key** (unless -k is specified explicity)

* Both of the above files have their permissions changed to R/W by the Administrators group only. If the key pre-exists this will not occur

* Optionally if -validate $true/$false is passed, as a test, both of the files are read back in and used to decrypt the credentials to verify that the decryption works and the inputs match what was decrypted. Note this potentially exposes the credentials in the clear in memory.

* The resulting files can then be used by other Powershell scripts which need to load up stored credentials locally and make use of them for various purposes. It is important to note that the resulting files are **portable** and nothing about the encryption/decryption routines is bound to the security context of the local user running these commands. That noted; **the responsibility is on the you to properly secure the secret.key!**

* Also see **decryptUtil.ps1** for some useful and supporting functions, including an example of loading the JSON file of credentials into a PSCredential. This script is intended to be included in other powershell scripts that need to load the credentials.