HowTo: Use ConvertTo-SecureString and ConvertFrom-SecureString

B

Brandon Shell

I know im just doing something stupid, but I cant seem to get this to work.
I assume it has something to do with type'ing. Im not a developer in any
stretch so please be patient, just and ol'school command/vbs scripter.

Example:
---------
$securestring = ConvertTo-SecureString "Hello"

I get Error:
-----------
ConvertTo-SecureString : Cannot process argument because the value of
argument "input" is invalid.
At line:1 char:39
 

My Computer

L

Lee Holmes [MSFT]

For some background -- a SecureString is a type of string that PowerShell
(and .Net) keeps encrypted in memory. Even if an attacker can explore the
memory on your computer (like the contents of a swap file, for example,)
they cannot gain access to the secret protected by the SecureString.

Although you can pass around SecureStrings with impunity, applications must
be extremely careful at the boundaries -- when creating SecureStrings and
retrieving the encrypted data from them. This means doing things like
reading your password input character by character, then removing each
character from memory as soon as possible. If the data is ever stored as a
regular string, it stays in memory until the process exits.

By typing a regular string onto the command line (like you did below,) the
string can no longer be made secure. That specific string stays in memory
until PowerShell exits. This is why ConvertTo-SecureString only accepts the
encrypted output of ConvertFrom-SecureString. Only in that way can we
retain the security guarantee of SecureStrings.

That said, most people aren't that concerned about an attacker spying on
their machine's memory, or digging through their Windows pagefile. In many
situations, the benefit of being able to automate these situations vastly
outweights the potential security risk.

For the upcoming release candidate, we've added some new functionality to
allow this:

$secureString = ConvertTo-SecureString "Hello" -AsPlainText -Force

(The force flag lets you bypass the warning I just gave you :) )

Until then, you can create SecureStrings from plain text this way:

$text = "Hello World"
$secureString = new-object Security.SecureString
$text.ToCharArray() | % { $secureString.AppendChar($_) }

--
Lee Holmes [MSFT]
Windows PowerShell Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.




"Brandon Shell" <[email protected]> wrote in message
news:[email protected]
>I know im just doing something stupid, but I cant seem to get this to work.
>I assume it has something to do with type'ing. Im not a developer in any
>stretch so please be patient, just and ol'school command/vbs scripter.
>
> Example:
> ---------
> $securestring = ConvertTo-SecureString "Hello"
>
> I get Error:
> -----------
> ConvertTo-SecureString : Cannot process argument because the value of
> argument "input" is invalid.
> At line:1 char:39
>
 

My Computer

B

Brandon Shell

Thanks... make sense... I think I just misunderstood the purpose.

I was looking to encrypt a text (Password of sorts) and store on disk or db,
so that I was the only one that could decrypt.

"Lee Holmes [MSFT]" <[email protected]> wrote in message
news:%[email protected]
> For some background -- a SecureString is a type of string that PowerShell
> (and .Net) keeps encrypted in memory. Even if an attacker can explore the
> memory on your computer (like the contents of a swap file, for example,)
> they cannot gain access to the secret protected by the SecureString.
>
> Although you can pass around SecureStrings with impunity, applications
> must be extremely careful at the boundaries -- when creating SecureStrings
> and retrieving the encrypted data from them. This means doing things like
> reading your password input character by character, then removing each
> character from memory as soon as possible. If the data is ever stored as
> a regular string, it stays in memory until the process exits.
>
> By typing a regular string onto the command line (like you did below,) the
> string can no longer be made secure. That specific string stays in memory
> until PowerShell exits. This is why ConvertTo-SecureString only accepts
> the encrypted output of ConvertFrom-SecureString. Only in that way can we
> retain the security guarantee of SecureStrings.
>
> That said, most people aren't that concerned about an attacker spying on
> their machine's memory, or digging through their Windows pagefile. In
> many situations, the benefit of being able to automate these situations
> vastly outweights the potential security risk.
>
> For the upcoming release candidate, we've added some new functionality to
> allow this:
>
> $secureString = ConvertTo-SecureString "Hello" -AsPlainText -Force
>
> (The force flag lets you bypass the warning I just gave you :) )
>
> Until then, you can create SecureStrings from plain text this way:
>
> $text = "Hello World"
> $secureString = new-object Security.SecureString
> $text.ToCharArray() | % { $secureString.AppendChar($_) }
>
> --
> Lee Holmes [MSFT]
> Windows PowerShell Development
> Microsoft Corporation
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
>
> "Brandon Shell" <[email protected]> wrote in message
> news:[email protected]gbl...
>>I know im just doing something stupid, but I cant seem to get this to
>>work. I assume it has something to do with type'ing. Im not a developer in
>>any stretch so please be patient, just and ol'school command/vbs scripter.
>>
>> Example:
>> ---------
>> $securestring = ConvertTo-SecureString "Hello"
>>
>> I get Error:
>> -----------
>> ConvertTo-SecureString : Cannot process argument because the value of
>> argument "input" is invalid.
>> At line:1 char:39
>>

>
>
 

My Computer

L

Lee Holmes [MSFT]

That is a perfect use of the cmdlets.

PS >$secureString = Read-Host -AsSecureString
************
PS >ConvertFrom-SecureString $secureString | out-file c:\temp\encrypted.txt
PS >$newString = gc C:\temp\encrypted.txt | ConvertTo-SecureString

Lee

"Brandon Shell" <[email protected]> wrote in message
news:[email protected]
> Thanks... make sense... I think I just misunderstood the purpose.
>
> I was looking to encrypt a text (Password of sorts) and store on disk or
> db, so that I was the only one that could decrypt.
>
> "Lee Holmes [MSFT]" <[email protected]> wrote in message
> news:%[email protected]
>> For some background -- a SecureString is a type of string that PowerShell
>> (and .Net) keeps encrypted in memory. Even if an attacker can explore
>> the memory on your computer (like the contents of a swap file, for
>> example,) they cannot gain access to the secret protected by the
>> SecureString.
>>
>> Although you can pass around SecureStrings with impunity, applications
>> must be extremely careful at the boundaries -- when creating
>> SecureStrings and retrieving the encrypted data from them. This means
>> doing things like reading your password input character by character,
>> then removing each character from memory as soon as possible. If the
>> data is ever stored as a regular string, it stays in memory until the
>> process exits.
>>
>> By typing a regular string onto the command line (like you did below,)
>> the string can no longer be made secure. That specific string stays in
>> memory until PowerShell exits. This is why ConvertTo-SecureString only
>> accepts the encrypted output of ConvertFrom-SecureString. Only in that
>> way can we retain the security guarantee of SecureStrings.
>>
>> That said, most people aren't that concerned about an attacker spying on
>> their machine's memory, or digging through their Windows pagefile. In
>> many situations, the benefit of being able to automate these situations
>> vastly outweights the potential security risk.
>>
>> For the upcoming release candidate, we've added some new functionality to
>> allow this:
>>
>> $secureString = ConvertTo-SecureString "Hello" -AsPlainText -Force
>>
>> (The force flag lets you bypass the warning I just gave you :) )
>>
>> Until then, you can create SecureStrings from plain text this way:
>>
>> $text = "Hello World"
>> $secureString = new-object Security.SecureString
>> $text.ToCharArray() | % { $secureString.AppendChar($_) }
>>
>> --
>> Lee Holmes [MSFT]
>> Windows PowerShell Development
>> Microsoft Corporation
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>>
>>
>> "Brandon Shell" <[email protected]> wrote in message
>> news:[email protected]
>>>I know im just doing something stupid, but I cant seem to get this to
>>>work. I assume it has something to do with type'ing. Im not a developer
>>>in any stretch so please be patient, just and ol'school command/vbs
>>>scripter.
>>>
>>> Example:
>>> ---------
>>> $securestring = ConvertTo-SecureString "Hello"
>>>
>>> I get Error:
>>> -----------
>>> ConvertTo-SecureString : Cannot process argument because the value of
>>> argument "input" is invalid.
>>> At line:1 char:39
>>>

>>
>>

>
>
 

My Computer

Top