Secure string vs. encrypted standard string

thomas-franke · August 22, 2013, 12:06am

Can someone help me in understanding the difference between a secure string and an encrypted standard string?

From the PowerShell help: “The ConvertFrom-SecureString cmdlet converts a secure string (System.Security.SecureString) into an encrypted standard string (System.String). Unlike a secure string, an encrypted standard string can be saved in a file for later use.”

Ok. So I create a PSCredential object which contains a password as a secure string:

$PasswordAsSecureString = Read-Host "Enter password for $UserName" -AsSecureString
$PSCredential = New-Object System.Management.Automation.PSCredential $UserName, $PasswordAsSecureString

Then I use Export-Clixml and save it to disk. Huh? Didn’t they mentioned this cannot be done?

Let’s try something different: I convert the secure string into an encrypted standard string and display it on the screen:

$EncryptedPassword = $PasswordAsSecureString | ConvertFrom-Securestring

Then I open the XML-file from above and compare both strings - and they are actually IDENTICAL!

If both strings are the same, then I don’t understand the difference. Or is one of them converted automatically, e.g. by saving it into a file? Then what do I need the ConvertFrom/ConvertTo-SecureString cmdlets for?

system · August 22, 2013, 12:25am

Export-CliXml will do the conversion for you. ConvertFrom-SecureString is mainly if you want to write your own file output (via Add-Content, Out-File, or whatever).

thomas-franke · August 22, 2013, 10:33pm

Thx a lot, now I have a better understanding!

Btw. Import-CliXml does the conversion as well, so you can read and write PSCredential objects directly without having to deal with the string conversions.

bob-mccoy · August 23, 2013, 4:39am

Since the encryption is based on DPAPI based on the user’s context and the machine the SecureString was created on, it can be handy to know where that happened. You can add a NoteProperty as an FYI before you export it as XML.

$PSCredential | Add-Member -NotePropertyName Origin -NotePropertyValue $env:COMPUTERNAME

thomas-franke · August 26, 2013, 6:44pm

Great idea - I’ll Keep that in mind! And this technique might come in handy in other situations as well. Many thanks!

Topic		Replies	Views
Powershell specifiy a literal "encrypted standard string"? PowerShell Help	3	180	May 16, 2024
Padding is invalid and cannot be removed. PowerShell Help	5	632	May 16, 2024
I get an error using a PowerShell script for encrypting/decrypting a file PowerShell Help	6	336	May 16, 2024
Converting a string with Base64 and Uncompress PowerShell Help	1	305	May 16, 2024
How to use escape sequence in powershell command PowerShell Help	16	1503	May 16, 2024

Secure string vs. encrypted standard string

Related Topics