Bart Simons

Bart Simons


Thoughts, stories and ideas.

Bart Simons
Author

Share


Tags


.net .net 5 .net core Apache C# CentOS LAMP NET Framework Pretty URLs Windows Server WireGuard WireGuard.io access log add analysis android api at the same time authentication authorization automate automation azure azurerm backup bash basics batch bootstrap build capture cheat sheet chromium chroot class cli click to close code coverage code snippet command line commands compile compiling compression containers control controller controlling convert cpu usage create credentials csv csvparser curl data dd deployment desktop detect devices disable diskpart dism distributed diy docker dom changes dotnet core drivers ease of access encryption example export file transfer files fix folders framework generalize getting started ghost ghost.org gui guide gunicorn gzip html html tables icewarp igd imagex import inotify install installation interactive ios iphone itunes java javascript jquery json kiosk kotlin linux live load data loading screen lock screen loopback audio lxc lxd lxml macos manage manually message messages minio mirrored mod_rewrite monitor monitoring mstest mutationobserver mysql net 5 nexmo nginx no oobe node node.js nodejs not installing notification notifications object storage on desktop one command openssl owncloud parallels parallels tools parse perfect philips hue play port forwarding portainer.io powershell processing ps-spotify python quick raspberry pi record rip ripping rsync rtmp save save data sbapplication scraping script scripting scriptingbridge scripts security send server service sharedpreferences sms songs sonos spotify spotify api spotlight ssh stack streaming streamlink studio sudo swarm swift sync sysprep system audio systemd tables terminal testing tracking tutorial twilio ubiquiti ubuntu ubuntu 18.04 ui code unifi unlock unsplash source upnp uptime usb tethering wallpapers wasapi website websites webview windows windows 10 without itunes without oobe workaround xaml

Export And Import PowerShell Credentials

PowerShell Credentials are very useful in the world of system administration. Passwords stored in a PSCredential object are encrypted by a key, so that means you can't just pipe a PSCredential into Export-Clixml to export your credentials because the key is stored in memory for the current user on the current computer only. I have written two functions to work around this by bundling a separate key and a linked PSCredential object into a PSObject, so you can export that object by piping it to Export-Clixml. You can then transfer that object to a remote computer and/or different user and import it via my second cmdlet listed below:

Export a credential with Export-Credential:
<#
    .SYNOPSIS
        Exports a PowerShell credential the proper way.
    .DESCRIPTION
        Creates a PowerShell credential and returns the secured credential with it's key.
    .LINK
        https://bartsimons.me
#>

Function Export-Credential {
    [CmdletBinding()]
    [OutputType(
        [PSCustomObject]
    )]

    Param (
        [Parameter(
            Mandatory = $false
        )]
        [SecureString]
        $Password,

        [Parameter(
            Mandatory = $false
        )]
        [String]
        $Username,

        [Parameter(
            Mandatory = $false
        )]
        [PSCredential]
        $Credential
    )

    If (-not ($Credential -and $Password)) {

        $CredentialSpecified = $false
        $PasswordSpecified   = $false

        $Key = New-Object Byte[](32)

        $Rng = [System.Security.Cryptography.RNGCryptoServiceProvider]::Create()
        $Rng.GetBytes($Key)

        If ($Credential) {
            $CredentialSpecified = $true

            return New-Object PSObject -Property @{
                Username = $Credential.UserName
                Password = ConvertFrom-SecureString -SecureString $Credential.Password -Key $Key
                Key = $Key
            }
        }

        If ($Password -and $Username) {
            $PasswordSpecified = $true

            return New-Object PSObject -Property @{
                Username = $Username
                Password = ConvertFrom-SecureString -SecureString $Password -Key $Key
                Key = $Key
            }
        } Else {
            Write-Error "You need to specify both a username and password."
        }

    } Else {
        Write-Error "You can only specify a credential OR a password, not both"
    }
}
Import a credential with Import-Credential:
<#
    .SYNOPSIS
        Imports a PowerShell credential the proper way.
    .DESCRIPTION
        Creates a new PowerShell credential from imported data.
    .LINK
        https://bartsimons.me
#>


Function Import-Credential {
    [CmdletBinding()]
    [OutputType(
        [PSCustomObject]
    )]

    Param (
        [Parameter(
            Mandatory = $true,
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true
        )]
        [PSCustomObject]
        $Data
    )

    If ($Data.Username -and $Data.Password -and $Data.Key) {
        return New-Object System.Management.Automation.PSCredential($Data.Username, (ConvertTo-SecureString -String $Data.Password -Key $Data.Key))
    } Else {
        Write-Error "Inconsistent data structure in variable"
    }
}

An example:

# Generate a credential and export it to credentials.xml
Export-Credential -Credential (Get-Credential) | Export-Clixml credentials.xml

# Import the credential on the remote machine into the variable $theCredential
$theCredential = (Import-Clixml credentials.xml | Import-Credential)

I hope you find these two functions useful! Be careful though, anyone with access to your key could potentially decrypt your password. So think twice when you decide where to store your exported credentials 😉

Bart Simons
Author

Bart Simons

View Comments