Category Archives: SecureString

ConvertTo-SecureString

NAME
    ConvertTo-SecureString

SYNOPSIS
    Converts encrypted standard strings to secure strings. It can also convert plain text to secure strings. It is used with ConvertFrom-SecureString and Read-Host.

SYNTAX
    ConvertTo-SecureString [-Key <Byte[]>] [-String] <string> [<CommonParameters>]

    ConvertTo-SecureString [[-AsPlainText]] [[-Force]] [-String] <string> [<CommonParameters>]

    ConvertTo-SecureString [[-SecureKey] <SecureString>] [-String] <string> [<CommonParameters>]

DESCRIPTION
    The ConvertTo-SecureString cmdlet converts encrypted standard strings into secure strings. It can also convert plain text to secure strings. It is used with ConvertFrom-SecureString and Read-Host. The secure string created by the cmdlet can be used with cmdlets or Functions that require a parameter of type SecureString. The secure string can be converted back to an encrypted, standard string using the ConvertFrom-SecureString cmdlet. This enables it to be stored in a file for later use.

    If the standard string being converted was encrypted with ConvertFrom-SecureString using a specified key, that same key must be provided as the value of the Key or SecureKey parameter of the ConvertTo-SecureString cmdlet.

PARAMETERS
    -AsPlainText [<SwitchParameter>]
        Specifies a plain text string to convert to a secure string. The secure string cmdlets help protect confidential text. The text is encrypted for privacy and is deleted from computer memory after it is used. If you use this parameter to provide plain text as input, the system cannot protect that input in this manner. To use this parameter, you must also specify the Force parameter.

        Required?                    false
        Position?                    2
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Force [<SwitchParameter>]
        Confirms that you understand the implications of using the AsPlainText parameter and still want to use it.

        Required?                    false
        Position?                    3
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Key <Byte[]>
        Specifies the encryption key to use when converting a secure string into an encrypted standard string. Valid key lengths are 16, 24, and 32 bytes.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -SecureKey <SecureString>
        Specifies the encryption key to use when converting a secure string into an encrypted standard string. The key must be provided in the format of a secure string. The secure string is converted to a byte array before being used as the key. Valid key lengths are 16, 24, and 32 bytes.

        Required?                    false
        Position?                    2
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -String <string>
        Specifies the string to convert to a secure string.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    System.String
        You can pipe a standard encrypted string to ConvertTo-SecureString.

OUTPUTS
    System.Security.SecureString
        ConvertTo-SecureString returns a SecureString object.

NOTES

    ————————– EXAMPLE 1 ————————–

    C:\PS>$secure = Read-Host -assecurestring

    C:\PS> $secure
    System.Security.SecureString

    C:\PS> $encrypted = ConvertFrom-SecureString -securestring $secure
    C:\PS> $encrypted
    01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a114d45b8dd3f4aa11ad7c0abdae9800000000002000000000003660000a8000000100000005df63cea84bfb7d70bd6842e7
    efa79820000000004800000a000000010000000f10cd0f4a99a8d5814d94e0687d7430b100000008bf11f1960158405b2779613e9352c6d14000000e6b7bf46a9d485ff211b9b2a2df3bd
    6eb67aae41

    C:\PS> $secure2 = ConvertTo-SecureString -String $encrypted
    C:\PS> $secure2
    System.Security.SecureString

    Description
    ———–
    This example shows how to create a secure string from user input, convert the secure string to an encrypted standard string, and then convert the encrypted standard string back to a secure string.

    The first command uses the AsSecureString parameter of the Read-Host cmdlet to create a secure string. After you enter the command, any characters that you type are converted into a secure string and then saved in the $secure Variable.

    The second command displays the contents of the $secure Variable. Because the $secure Variable contains a secure string, Windows PowerShell displays only the System.Security.SecureString type.

    The third command uses the ConvertFrom-SecureString cmdlet to convert the secure string in the $secure Variable into an encrypted standard string. It saves the result in the $encrypted Variable. The fourth command displays the encrypted string in the value of the $encrypted Variable.

    The fifth command uses the ConvertTo-SecureString cmdlet to convert the encrypted standard string in the $encrypted Variable back into a secure string. It saves the result in the $secure2 Variable. The sixth command displays the value of the $secure2 Variable. The SecureString type indicates that the command was successful.

    ————————– EXAMPLE 2 ————————–

    C:\PS>$secure = Read-Host -assecurestring

    C:\PS> $encrypted = ConvertFrom-SecureString -secureString $secure -key (1..16)

    C:\PS> $encrypted | Set-Content encrypted.txt

    C:\PS> $secure2 = Get-Content encrypted.txt | ConvertTo-SecureString -key (1..16)

    Description
    ———–
    This example shows how to create a secure string from an encrypted standard string that is saved in a file.

    The first command uses the AsSecureString parameter of the Read-Host cmdlet to create a secure string. After you enter the command, any characters that you type are converted into a secure string and then saved in the $secure Variable.

    The second command uses the ConvertFrom-SecureString cmdlet to convert the secure string in the $secure Variable into an encrypted standard string by using the specified key. The contents are saved in the $encrypted Variable.

    The third command uses a pipeline operator (|) to send the value of the $encrypted Variable to the Set-Content cmdlet, which saves the value in the Encrypted.txt file.

    The fourth command uses the Get-Content cmdlet to get the encrypted standard string in the Encrypted.txt file. The command uses a pipeline operator to send the encrypted string to the ConvertTo-SecureString cmdlet, which converts it to a secure string by using the specified key. The results are saved in the $secure2 Variable.

    ————————– EXAMPLE 3 ————————–

    C:\PS>$secure_string_pwd = ConvertTo-SecureString “P@ssW0rD!” -asplaintext -force

    Description
    ———–
    This command converts the plain text string “P@ssW0rD!” into a secure string and stores the result in the $secure_string_pwd Variable. To use the AsPlainText parameter, the Force parameter must also be included in the command.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113291
    ConvertFrom-SecureString
    Read-Host

ConvertFrom-SecureString

NAME
    ConvertFrom-SecureString

SYNOPSIS
    Converts a secure string into an encrypted standard string.

SYNTAX
    ConvertFrom-SecureString [-Key <Byte[]>] [-SecureString] <SecureString> [<CommonParameters>]

    ConvertFrom-SecureString [[-SecureKey] <SecureString>] [-SecureString] <SecureString> [<CommonParameters>]

DESCRIPTION
    The ConvertFrom-SecureString cmdlet converts a secure string (System.Security.SecureString) into an encrypted standard string (System.String). Unlike a secure string, an encrypted standard string can be saved in a file for later use. The encrypted standard string can be converted back to its secure string format by using the ConvertTo-SecureString cmdlet. If an encryption key is specified by using the Key or SecureKey parameters, the Rijndael encryption algorithm is used. The specified key must have a length of 128, 192, or 256 bits because those are the key lengths supported by the Rijndael encryption algorithm. If no key is specified, the Windows Data Protection API (DPAPI) is used to encrypt the standard string representation.

PARAMETERS
    -Key <Byte[]>
        Specifies the encryption key as a byte array.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -SecureKey <SecureString>
        Specifies the encryption key as a secure string. The secure string value is converted to a byte array before being used as the key.

        Required?                    false
        Position?                    2
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -SecureString <SecureString>
        Specifies the secure string to convert to an encrypted standard string.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    System.Security.SecureString
        You can pipe a SecureString object to ConvertFrom-SecureString.

OUTPUTS
    System.String
        ConvertFrom-SecureString returns a standard string object.

NOTES

        To create a secure string from characters that are typed at the command prompt, use the AsSecureString parameter of the Read-Host cmdlet.

        When you use the Key or SecureKey parameters to specify a key, the key length must be correct. For example, a key of 128 bits can be specified as a byte array of 16 digits. Similarly, 192-bit and 256-bit keys correspond to byte arrays of 24 and 32 digits, respectively.

    ————————– EXAMPLE 1 ————————–

    C:\PS>$securestring = Read-Host -assecurestring

    Description
    ———–
    This command creates a secure string from characters that you type at the command prompt. After entering the command, type the string you want to store as a secure string. An asterisk (*) will be displayed to represent each character that you type.

    ————————– EXAMPLE 2 ————————–

    C:\PS>$standardstring = ConvertFrom-SecureString $securestring

    Description
    ———–
    This command converts the secure string in the $securestring Variable to an encrypted standard string. The resulting encrypted standard string is stored in the $standardstring Variable.

    ————————– EXAMPLE 3 ————————–

    C:\PS>$key = (3,4,2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)

    C:\PS> $standardstring = ConvertFrom-SecureString $securestring -key $key

    Description
    ———–
    These commands use the Rijndael algorithm to convert the secure string stored in the $securestring Variable to an encrypted standard string with a 192-bit key. The resulting encrypted standard string is stored in the $standardstring Variable.

    The first command stores a key in the $key Variable. The key is an array of 24 digits, all of which are less than 256.

    Because each digit represents a byte (8 bits), the key has 24 digits for a total of 192 bits (8 x 24). This is a valid key length for the Rijndael algorithm. Each individual value is less than 256, which is the maximum value that can be stored in an unsigned byte.

    The second command uses the key in the $key Variable to convert the secure string to an encrypted standard string.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113287
    ConvertTo-SecureString
    Read-Host