Save BIG Powershell script as secure-string

Hello,
I have created a powerschell script that encrypt a other powershell script file in a secure-string file (using user with machine credentials )
The goal is to run this script with task manager with the account used for encrypting this powershell script.
This works flawless ! So my script is protected, can not be copied … (i hope).

The only problem is that the maximum secure-string size is 65536 , i have one script that is more than 2 times as big as this maxium size …
trey many tings to split this string ($var.substring , -split , … ) does not help …

any help ??

Couldn’t get you here. Are you trying to mask the script content ?

If you want to encrypt/decrypt a file (scripts included), I’d recommend using a certificate. Here’s an article that describes the process.

Yes indeed,
so that other admins (that have access to the same server does not copy my work)

If i use a certificate to encrypt a script, than the private key must be available on the server running task sequence … so other admins can use this key to decrypt my script … this is not wanted …
also changing the encryption form user/pc to certificate does not change the limit of 65536 characters for a string to encrypt …

i have the encryption / decryption part covert … works flawless for scripts smaller than 65536, i just can not find a way to -split or $var.sub it to limit the size of the string to encrypt .

The private key should be in a key store or other location that is accessible by you (password protected or a hardware device). If you are worried about other people with admin priv on a box accessing your work, your Secure-String idea would not be bullet proof. If they have admin priv, they can change your account password and log in as you.

PowerShell processes plain text, so even if you encrypt a script, when it is executed, it must be decrypted at least in memory if not in the file system. Additionally, the machine should probably have script block logging enabled which means most everything you execute is in the log and readable by Admins.

1 Like

FileVault
Encrypt-File

If you are needing to store a secret that can be shared with a group of people, then you’ll need to implement a Vault that other people have access to. If you are doing this for the corporate world, HashiVault would be a good option. KeyBase has Vault too, but all of the group members would need to be running KeyBase client for this to work. Keybase is very under rated application.

I would solve this by not encrypting the script, but create a private KeyBase team and then copy the script to the private KeyBase team for distribution. KeyBase client would be required.

If you worry about your script getting solen maybe consider writing it in C# and compiling it. Still no 100% guarantee. But even if you store your script as secure string the auditing capabilities will still write it into the Event Log as plaintext.

Also just a fyi regarding “certificate and private key” be aware of key recovery agents :wink: