Quickly and securely storing your credentials – PowerShell

During the last PowerShell event I quickly demo’ed the Export-CliXml functionality to quickly, easily, and most importantly, securely store credentials to a file. In this article I will describe the following three steps:

  • Store credentials in a variable
  • Export the variable to a file
  • Import the credential object from the file into a variable

To get a credential object we can either manually create one or use the Get-Credential cmdlet to prompt for the account details:

1
$Credential = Get-Credential

To store the credentials into a .cred file:

1
$Credential | Export-CliXml -Path "${env:\userprofile}\Jaap.Cred"

And to load the credentials from the file and back into a variable:

1
2
$Credential = Import-CliXml -Path "${env:\userprofile}\Jaap.Cred"
Invoke-Command -Computername 'Server01' -Credential $Credential {whoami}

StoreCredentials

The advantage of this methodology is that you can leverage the versitility of PowerShell to ensure that the data is not only exported, but also stored in a secure manner using secure strings. It should be noted that these credential files that are created can only be opened by the same user on the same system. It can be used to store any type of credentials, both local accounts and domain accounts can be saved in this manner.

Note that you are not limited to storing a single set of credentials in this manner, you could use any number of accounts, for example the following example will prompt for 3 different sets and store them in a hash table. This can then be exported/imported in a similar manner:

1
2
3
4
5
6
7
8
9
10
$Hash = @{
    'Admin'      = Get-Credential -Message 'Please enter administrative credentials'
    'RemoteUser' = Get-Credential -Message 'Please enter remote user credentials'
    'User'       = Get-Credential -Message 'Please enter user credentials'
}
$Hash | Export-Clixml -Path "${env:\userprofile}\Hash.Cred"
$Hash = Import-CliXml -Path "${env:\userprofile}\Hash.Cred"
Invoke-Command -ComputerName Server01 -Credential $Hash.Admin -ScriptBlock {whoami}
Invoke-Command -ComputerName Server01 -Credential $Hash.RemoteUser -ScriptBlock {whoami}
Invoke-Command -ComputerName Server01 -Credential $Hash.User -ScriptBlock {whoami}

8 thoughts on “Quickly and securely storing your credentials – PowerShell

    1. Jaap Brasser Post author

      Thanks for letting me know, I have been using different variants of this as well in the past but this is the simplest implementation I come across so far.

      Reply
  1. Christopher Blodgett

    I assume you are using encryption and permissions to control access to your file. Can we get more detail on that? Also, secure strings are completely reversible so I wouldn’t rely on them to secure your data. This is only semi secure at best, I wouldn’t trust domain admin credentials stored in this method for any large corporation. It’s simple and effective which I really like.

    Reply
    1. Jaap Brasser Post author

      Hello Christopher,

      The file itself is not encrypted, the user name will be in plain text and the password will be stored as a secure string which is encrypted. It is true that it is fully reversible by the user, but that is also the purpose of storing credentials for later use.

      For Enterprise environments I would look into Protect-CMSMessage, which allows you to use certificates to secure your sensitive data.

      Reply
  2. Pingback: Active Directory ReportUnit Pester results | pshirwin

  3. Pingback: How to run a PowerShell script against multiple Active Directory domains with different credentials – GoateePFE

  4. Sam

    Hi Jaap,

    What if we want to store the credentials to use it on a remote server as an automated script from build machine. I believe the above script works if it needs to be accessed from same machine.

    Sam

    Reply

Leave a Reply

Your email address will not be published.