While looking for a method to obfuscate passwords in script files, I started with securestring input combined with the convertfrom-securestring and convertto-securestring functions. Unfortunately (or fortunately from a security perspective) the securestring seems relevant only for per session/user/process/computer (or a combination thereof).
From documentation these functions use Rijndael symmetric encryption, so I modified another example for a very simple, key-less passphrase-less encryption/decryption of a string. This isn’t even very good obfuscation, let alone encryption, but if you encrypted a password and then reproduce the last 10 lines to decrypt the encrypted string, it’s slightly better than storing passwords in very visible paintext (sort of). I guess this could be obfuscated further by reading the encrypted string from a secured file or registry key.
This could be made as complex as you like with keys and initialisation vectors, but unless you make people enter the key (and then why not just make them enter the password?), there would still be something in plaintext, so I didn’t think there was much point.
I'm still undecided on whether there is any benefit with such simple obfuscation, but I thought I'd post the script nonetheless.
$string = "LongStringToEncryptAsATest"
$string
$r = new-Object System.Security.Cryptography.RijndaelManaged # use Rijndael symmetric key encryption
$c = $r.CreateEncryptor((1..16), (1..16)) # Set the key and initialisation vector to 128-bytes each of (1..16)
$ms = new-Object IO.MemoryStream
$cs = new-Object Security.Cryptography.CryptoStream $ms,$c,"Write" # Target data stream, transformation, and mode
$sw = new-Object IO.StreamWriter $cs
$sw.Write($String) # Write the string through the crypto stream into the memory stream
$sw.Close()
$cs.Close()
$ms.Close()
$r.Clear()
[byte[]]$result = $ms.ToArray() # Byte array from the encrypted memory stream
$encstring = [Convert]::ToBase64String($result) # Convert to base64 for transport
$encstring # The encrypted base64 string representation
$Encrypted = [Convert]::FromBase64String($encstring) # Convert the encrypted string to a byte array
$r = new-Object System.Security.Cryptography.RijndaelManaged # use Rijndael symmetric key encryption
$d = $r.CreateDecryptor((1..16), (1..16)) # Set the key and initialisation vector to 128-bytes each of (1..16)
$ms = new-Object IO.MemoryStream @(,$Encrypted) # Create a memorystream from a single-element name/value pair hash table of the byte array
$cs = new-Object Security.Cryptography.CryptoStream $ms,$d,"Read" # Target data stream, transformation, and mode
$sr = new-Object IO.StreamReader $cs # Read the string through the crypto stream from the encrypted memory stream
write-output $sr.ReadToEnd() # Write the unencrypted string
$sr.Close()
$cs.Close()
$ms.Close()
$r.Clear()
Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.
Information regarding Windows Infrastructure, centred mostly around commandline automation and other useful bits of information.
3 comments:
Great Man ! It is good to see string encryption with powershell. I just went through code given by you. It is superb man..Thanks a lot.
Very helpful! I'm trying to set up scheduled tasks to many machines to run as a dedicated domain account. Unfortunately this requires entering the username/password in clear text. Your obfuscate script will allow me to create a powershell script which I can invoke the command remotely to many machines without openly revealing the password. Thank you!
This is very Useful!!! thanks:)
Post a Comment