Hi. This is a topic that has been discussed many times in various places, but so far I haven’t found any satisfactory answer/solution.
What I need is to:
- securely store passwords/credentials in a script
- be able to distribute the script to other users and machines so that they can run the script, but never be able to extract the password in a manner that would allow them to use the credentials elsewhere
There are two reasons for this - automation and task delegation (without permission delegation). I need operators (humans) and automation systems (for example SC Orchestrator) to run scripts that perform action as privileged/elevated users, but these users themselves can never have the permissions of these privileged users.
There are several “solutions” to this that I’ve found:
- use SecureStrings and encode the password with a key into a separate file - doesn’t solve a thing since in order to run the script the user needs access to the file with the key and therefore the user can then access the SecureString and decode it…
- use EFS encryption … same problem as above
- convert the PS script to an .EXE file (PS2EXE or PowerGUI) - both look nice, but they still expose the script in plain text. PS2EXE even includes a switch to extract the PS script from the EXE file, PowerGUI allows you to password protect the extraction, but from what I understand the script is still exposed as plaintext during runtime - so it can be read from the memory by the user?
Is there any solution to this? I assume (maybe incorrectly), there’s no direct solution to this in PowerShell itself. In my layman’s terms, I can’t imagine why it’d be so complicated to encrypt/hash a script and then convert it to an EXE without directly exposing the script content anywhere (extraction, runtime - memory) etc.
I hope I’m overlooking some solution since this must be pretty common problem for many organizations.
Thanks in advance