Bart Simons

import

A 1 post collection


Export And Import PowerShell Credentials

 •  Filed under powershell, credentials, export, import

PowerShell Credentials are very useful in the world of system administration. Passwords stored in a PSCredential object are encrypted by a key, so that means you can't just pipe a PSCredential into Export-Clixml to export your credentials because the key is stored in memory for the current user on the current computer only. I have written two functions to work around this by bundling a separate key and a linked PSCredential object into a PSObject, so you can export that object by piping it to Export-Clixml. You can then transfer that object to a remote computer and/or different user and import it via my second cmdlet listed below:

Export a credential with Export-Credential:
<#  
    .SYNOPSIS
        Exports a PowerShell credential the proper way.
    .DESCRIPTION
        Creates a PowerShell credential and returns the secured credential with it's key.
    .LINK
        https://bartsimons.me
#>

Function Export-Credential {  
    [CmdletBinding()]
    [OutputType(
        [PSCustomObject]
    )]

    Param (
        [Parameter(
            Mandatory = $false
        )]
        [SecureString]
        $Password,

        [Parameter(
            Mandatory = $false
        )]
        [String]
        $Username,

        [Parameter(
            Mandatory = $false
        )]
        [PSCredential]
        $Credential
    )

    If (-not ($Credential -and $Password)) {

        $CredentialSpecified = $false
        $PasswordSpecified   = $false

        $Key = New-Object Byte[](32)

        $Rng = [System.Security.Cryptography.RNGCryptoServiceProvider]::Create()
        $Rng.GetBytes($Key)

        If ($Credential) {
            $CredentialSpecified = $true

            return New-Object PSObject -Property @{
                Username = $Credential.UserName
                Password = ConvertFrom-SecureString -SecureString $Credential.Password -Key $Key
                Key = $Key
            }
        }

        If ($Password -and $Username) {
            $PasswordSpecified = $true

            return New-Object PSObject -Property @{
                Username = $Username
                Password = ConvertFrom-SecureString -SecureString $Password -Key $Key
                Key = $Key
            }
        } Else {
            Write-Error "You need to specify both a username and password."
        }

    } Else {
        Write-Error "You can only specify a credential OR a password, not both"
    }
}
Import a credential with Import-Credential:
<#  
    .SYNOPSIS
        Imports a PowerShell credential the proper way.
    .DESCRIPTION
        Creates a new PowerShell credential from imported data.
    .LINK
        https://bartsimons.me
#>


Function Import-Credential {  
    [CmdletBinding()]
    [OutputType(
        [PSCustomObject]
    )]

    Param (
        [Parameter(
            Mandatory = $true,
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true
        )]
        [PSCustomObject]
        $Data
    )

    If ($Data.Username -and $Data.Password -and $Data.Key) {
        return New-Object System.Management.Automation.PSCredential($Data.Username, (ConvertTo-SecureString -String $Data.Password -Key $Data.Key))
    } Else {
        Write-Error "Inconsistent data structure in variable"
    }
}

An example:

# Generate a credential and export it to credentials.xml
Export-Credential -Credential (Get-Credential) | Export-Clixml credentials.xml

# Import the credential on the remote machine into the variable $theCredential
$theCredential = (Import-Clixml credentials.xml | Import-Credential)

I hope you find these two functions useful! Be careful though, anyone with access to your key could potentially decrypt your password. So think twice when you decide where to store your exported credentials 😉