# encoding: utf-8
# api: powershell
# title: Export-PSCredential
# description: original filename: lib-authentication.ps1
# version: 0.1
# type: function
# license: CC0
# function: Export-PSCredential
# x-poshcode-id: 473
# x-derived-from-id: 474
# x-archived: 2016-09-09T08:47:08
# x-published: 2008-07-21T18:11:00
# These functions allow one to easily save network credentials to disk in a relatively secure manner. The resulting on-disk credential file can only [1] be decrypted by the same user account which performed the encryption. For more details, see the help files for ConvertFrom-SecureString and ConvertTo-SecureString as well as MSDN pages about Windows Data Protection API.
# [1]: So far as I know today. Next week I’m sure a script kiddie will break it.
# rev 2: added more comments
# rev 3: removed custom type name due to issues on v1
# rev 4: re-worked erorr checking to allow for username strings like get-credential
#
# Author: Hal Rottenberg <hal@halr9000.com>
# Url: http://halr9000.com/article/tag/lib-authentication.ps1
# Purpose: These functions allow one to easily save network credentials to disk in a relatively
# secure manner. The resulting on-disk credential file can only [1] be decrypted
# by the same user account which performed the encryption. For more details, see
# the help files for ConvertFrom-SecureString and ConvertTo-SecureString as well as
# MSDN pages about Windows Data Protection API.
# [1]: So far as I know today. Next week I'm sure a script kiddie will break it.
#
# Usage: Export-PSCredential [-Credential <PSCredential object>] [-Path <file to export>]
#
# If Credential is not specififed, user is prompted by Get-Credential cmdlet.
# If not specififed, Path is "./credentials.enc.xml".
# Output: FileInfo object referring to saved credentials
#
# Import-PSCredential [-Path <file to import>]
#
# If not specififed, Path is "./credentials.enc.xml".
# Output: PSCredential object
function Export-PSCredential {
param ( $Credential = (Get-Credential), $Path = "credentials.enc.xml" )
#
switch ( $Credential.GetType().Name ) {
PSCredential { continue }
String { $Credential = Get-Credential -credential $Credential }
default { Throw "You must specify a credential object to export to disk." }
}
# Create temporary object to be serialized to disk
$export = "" | Select-Object Username, EncryptedPassword
# Give object a type name which can be identified later
$export.PSObject.TypeNames.Insert(0,’ExportedPSCredential’)
$export.Username = $Credential.Username
# Encrypt SecureString password using Data Protection API
# Only the current user account can decrypt this cipher
$export.EncryptedPassword = $Credential.Password | ConvertFrom-SecureString
# Export using the Export-Clixml cmdlet
$export | Export-Clixml $Path
Write-Host -foregroundcolor Green "Credentials saved to: " -noNewLine
# Return FileInfo object referring to saved credentials
Get-Item $Path
}
function Import-PSCredential {
param ( $Path = "credentials.enc.xml" )
# Import credential file
$import = Import-Clixml $Path
# Test for valid import
if ( $import.PSObject.TypeNames -notcontains 'Deserialized.ExportedPSCredential' ) {
Throw "Input is not a valid ExportedPSCredential object, exiting."
}
$Username = $import.Username
# Decrypt the password and store as a SecureString object for safekeeping
$SecurePass = $import.EncryptedPassword | ConvertTo-SecureString
# Build the new credential object
$Credential = New-Object System.Management.Automation.PSCredential $Username, $SecurePass
Write-Output $Credential
}