How secure is PowerShell's ConvertFrom-SecureString -key

security powershell securestring
Josiah picture Josiah · Sep 20, 2012 · Viewed 8.1k times · Source

I have a module that includes some strings with some private data that should be hard to attain, but changes frequently. I need to put this script on a variety of machines where it might be accessed and the code read by someone who should not have the information used to derive the output.

I'm really concerned about strings that change from time to time so I'm considering creating a script which prompts for those values as secure strings and encrypts them using a key and dumps them into an xml file. The XML file then is used to provide the strings. Anyone running a command from this module that needs that data would have to provide the key so the strings could be decrypted.

Here is basically what I expect to do, but I'll be dealing with objects 

$secure = Read-Host -AsSecureString
$encrypted =  ConvertFrom-SecureString -securestring $secure -key somekey
$encrypted | Export-Clixml testing.xml
$imported = Import-Clixml testing.xml
$value = ConvertTo-SecureString -string $imported -key somekey

I understand that the string will be encrypted using the Rijndael encryption algorithm, which is also known as AES I believe.

How much effort is needed to break that encrypted key where it rests in the xml file, given access to the script?

Answer

latkin picture latkin · Sep 20, 2012

Then encrpted secret string on its own is safe, but it is presumably unusable in that form. ConvertTo-SecureString will convert it from an encrypted standard string into a SecureString, but in order to do that, you need the key. If you users or script have the key, then they can do anything.

And can you even pass the SecureString to whatever application you are working with, or will you need to convert it back to regular string? If the secret data is at any time in plaintext form, then your users can see it.

Even if your application supports SecureString, you are still hosed because SecureString is trivially crackable:

[System.Runtime.InteropServices.Marshal]::PtrToStringAuto(
  [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securestring)
 )

The approach of encrypting the secret data with some key, but allowing low-priv users to have the key, is broken. It's equivalent to "I don't want my friend to have the keys to my house, so I'll lock the keys in a box and give him the keys to the box instead."

Related questions

Send mail via Gmail with PowerShell V2's Send-MailMessage

I'm trying to figure out how to use PowerShell V2's Send-MailMessage with Gmail. Here's what I have so far. $ss = New-Object Security.SecureString foreach ($ch in "password".ToCharArray()) { $ss.AppendChar($ch) } $cred = New-Object Management.Automation.PSCredential "[email protected]", $…

Read More
Powershell Set-MpPreference -DisableRealtimeMonitoring $true not working correctly

I must warn you I don't use powershell much. I am trying to turn off windows defender real time protection via powershell I found the command Set-MpPreference -DisableRealtimeMonitoring $true and tried it in admin privileges only to get this Set-MpPreference : …

Read More
Add group "Everyone" to directory and all of it's sub-directories

I'm currently using Vista 32-bit. How do I add the Windows security group "Everyone" and give full control to a directory and all of it's sub-directories and all files? Is there a powershell script that I could use? Thanks!

Read More