PowerShell Credentials are very useful in the world of system administration. Passwords stored in a PSCredential object are encrypted by a key, so that means you can't just pipe a PSCredential into Export-Clixml to export your credentials because the key is stored in memory for the current user on the current computer only. I have written two functions to work around this by bundling a separate key and a linked PSCredential object into a PSObject, so you can export that object by piping it to Export-Clixml. You can then transfer that object to a remote computer and/or different user and import it via my second cmdlet listed below:
Export a credential with Export-Credential:
<#
.SYNOPSIS
Exports a PowerShell credential the proper way.
.DESCRIPTION
Creates a PowerShell credential and returns the secured credential with it's key.
.LINK
https://bartsimons.me
#>
Function Export-Credential {
[CmdletBinding()]
[OutputType(
[PSCustomObject]
)]
Param (
[Parameter(
Mandatory = $false
)]
[SecureString]
$Password,
[Parameter(
Mandatory = $false
)]
[String]
$Username,
[Parameter(
Mandatory = $false
)]
[PSCredential]
$Credential
)
If (-not ($Credential -and $Password)) {
$CredentialSpecified = $false
$PasswordSpecified = $false
$Key = New-Object Byte[](32)
$Rng = [System.Security.Cryptography.RNGCryptoServiceProvider]::Create()
$Rng.GetBytes($Key)
If ($Credential) {
$CredentialSpecified = $true
return New-Object PSObject -Property @{
Username = $Credential.UserName
Password = ConvertFrom-SecureString -SecureString $Credential.Password -Key $Key
Key = $Key
}
}
If ($Password -and $Username) {
$PasswordSpecified = $true
return New-Object PSObject -Property @{
Username = $Username
Password = ConvertFrom-SecureString -SecureString $Password -Key $Key
Key = $Key
}
} Else {
Write-Error "You need to specify both a username and password."
}
} Else {
Write-Error "You can only specify a credential OR a password, not both"
}
}
Import a credential with Import-Credential:
<#
.SYNOPSIS
Imports a PowerShell credential the proper way.
.DESCRIPTION
Creates a new PowerShell credential from imported data.
.LINK
https://bartsimons.me
#>
Function Import-Credential {
[CmdletBinding()]
[OutputType(
[PSCustomObject]
)]
Param (
[Parameter(
Mandatory = $true,
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true
)]
[PSCustomObject]
$Data
)
If ($Data.Username -and $Data.Password -and $Data.Key) {
return New-Object System.Management.Automation.PSCredential($Data.Username, (ConvertTo-SecureString -String $Data.Password -Key $Data.Key))
} Else {
Write-Error "Inconsistent data structure in variable"
}
}
An example:
# Generate a credential and export it to credentials.xml
Export-Credential -Credential (Get-Credential) | Export-Clixml credentials.xml
# Import the credential on the remote machine into the variable $theCredential
$theCredential = (Import-Clixml credentials.xml | Import-Credential)
I hope you find these two functions useful! Be careful though, anyone with access to your key could potentially decrypt your password. So think twice when you decide where to store your exported credentials 😉