PSScriptAnalyzer icon indicating copy to clipboard operation
PSScriptAnalyzer copied to clipboard
verified publisher icon PowerShell

PSAvoidUsingConvertToSecureStringWithPlainText how can i encrypt plain strings then??

Open dotps1 opened this issue 9 years ago • 6 comments

So, im trying to convert a string to a securestring, so it can be secure when i serialize it to disk. How am i supposed to do it with doing:

ConvertTo-SecureString -String 'EncryptMe' -AsPlainText -Force

In my situation, i am getting return data that is a string, i cannot prompt the user to input it as a pscredential or something as the user does not know what it is. But after i have the data, i want to secure it, hence, convertto-securestring. Please advise how i can do this (ideally without just using ExcludeRule).

dotps1 avatar Jun 22 '16 14:06 dotps1

So, any response on this? I'm getting emails from the PowerShell gallery now because this 'rule' is being violated.

dotps1 avatar Jun 29 '16 11:06 dotps1

If you look in the Readme there is a section on how you can suppress rules which I'm not sure that I agree if this is the correct way to go with it.

kilasuit avatar Jun 29 '16 11:06 kilasuit

Yeah, i understand that, im more interested in how the PowerShell team wants this action to be completed with out using -AsPlainText -Force. And, as i said, the PowerShell Gallery is sending emails because of the PSScriptAnalyzer Rule Violation. I can mute it all i want for myself, but not for them.

dotps1 avatar Jun 29 '16 11:06 dotps1

Well, per a suggestion by a moderator from the PSGallery, rather then accepting a plain text string, using the ConverTo-SecureString, then serializing that to disk, i moved the Value to the Windows Credential Manager. Example setting the value here, and example getting the value back here. Im not sure if this is the 'right' way to handle this, but as long as the data is secure at rest, and i can still retrieve it, and the PSGallery is happy, i guess ill use it.

dotps1 avatar Jun 30 '16 14:06 dotps1

Frankly, in the case where you're getting something as a string from an API and then want to convert it to a SecureString, I think what you did is the right thing, with one caveat:

You need to avoid ever having it in a variable at all, since you can't clean up the string variable once you've created it. I see your attempt to do that by removing the variable and forcing garbage collection in the new script, which is probably the best you can do if you're calling an API or interacting with another language. It's painful.

As to whether storing it in the vault is better than encrypting it with ConvertFrom-SecureString and storing it on disk ... it's pretty much the same.

The fact that they warn you about using ConvertTo-SecureString but not about using the constructor to Windows.Security.Credentials.PasswordCredential (or indeed, using that class at all, considering that it stores the password in a plain string instead of a SecureString) ... just goes to show the futility of putting security checks in a linter.

Jaykul avatar Jul 11 '16 23:07 Jaykul

Quote:

Don't use SecureString for new code. When porting code to .NET Core, consider that the contents of the array are not encrypted in memory.

The general approach of dealing with credentials is to avoid them and instead rely on other means to authenticate, such as certificates or Windows authentication.

In other words: you can't authenticate a script, instead you need authenticate the (user or computer) account that runs the script...

iRon7 avatar Apr 24 '24 15:04 iRon7