You’d want to encrypt the password in your file, and decrypt it when the script runs. How you do this, exactly, depends on who needs to be able to run the script. (Or in other words, who has the key that is able to decrypt the password?)
If you’re the one running the script, it’s very easy. Just create a PSCredential object with the Get-Credential cmdlet, then pipe it to Export-Clixml. PowerShell will automatically encrypt the password for you, and when you use Import-Clixml later to load that file up from disk, you’ll have a credential object again (with the correct password.) The encryption key used for that file is part of your user profile (the Windows Data Protection API, if you’re curious and want to read up on how that all works.) That means that other users won’t be able to decrypt the password, nor will you be able to decrypt it on another computer in most cases.
If you need to share the password with other users, the best approach is to use certificates. Each user can have their own cert (which contains a private key), and you can encrypt your password using multiple certificates so that each authorized user is able to read it. PowerShell v5 added some new commands to help with this: Protect-CmsMessage and Unprotect-CmsMessage. If you need to use older version of PowerShell instead, I’ve got a module called ProtectedData which works much the same way (with Protect-Data and Unprotect-Data commands, uses certificates.)
I gave a presentation on this topic at the PowerShell summit a year or so ago: Keeping Secrets - YouTube
Wow Dave, things finally got slow here and I was able to thoughtfully read your post and follow it…
This is such an amazing technique! It’s easy, and actually secure! Thanks again for the great tip, this is one of my new favorite powershell methods and committed to memory!
