Last active
April 19, 2017 02:25
-
-
Save BrandonStiff/b4fdad90a65fc59bfa781a66e9a89c33 to your computer and use it in GitHub Desktop.
Export A PowerShell Credential
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Export-PSCredential | |
{ | |
<# | |
.SYNOPSIS | |
Exports a credential object into an XML file or registry value with an encrypted password. An important note is that the encrypted password can ONLY be read by the user who created the exported file | |
unless a passphrase is provided. | |
.PARAMETER Credential | |
Specifies the Credential to export to a file. Use Get-Credential to supply this. | |
.PARAMETER Path | |
Specifies the file to export to. Default is (CurrentDir)\encrypted.xml. | |
.PARAMETER RegistryPath | |
Specifies the path to the registry to export the credentials to. Use HKLM and HCKU for HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER respectively. Example: HKCU:\Software\Acme Inc\MyCredentials | |
.PARAMETER Name | |
Specifies the name of the registry value to store the credentials under. Only specify with RegistryPath. | |
.PARAMETER KeyPhrase | |
Specifies the key phrase to use to encrypt the password. If not specified, then a key derived from the user's account is used. This makes the password only decryptable by the user who encrypted it. | |
If a key is specified, then anybody with the key can decrypt it. | |
.EXAMPLE | |
PS> (Get-Credential bsti) | Export-PSCredential | |
# Encrypts the credential for username bsti and exports to the current directory as encrypted.xml | |
.EXAMPLE | |
PS> (Get-Credential bsti) | Export-PSCredential -Path C:\temp\mycreds.xml | |
# Encrypts the credential for username bsti and exports to the current directory as encrypted.xml | |
.EXAMPLE | |
PS> (Get-Credential bsti) | Export-PSCredential -RegistryPath "HKCU:\Software\Acme Inc\MyCreds" -Name "switch1" | |
# Encrypts the credential for username bsti and exports to the registry at the given path, under the value switch1. | |
.EXAMPLE | |
PS> (Get-Credential bsti) | Export-PSCredential -Path C:\temp\mycreds.xml -KeyPhrase "ThisisMyEncryptionPassword123" | |
# Encrypts the credential for username bsti and exports it to the filesystem. Anyone with the keyphrase can decrypt it. | |
.OUTPUTS | |
Returns the [System.IO.FileInfo] object representing file that was created or the path to the registry key the credentials were exported to. | |
#> | |
[CmdletBinding(SupportsShouldProcess=$true,DefaultParameterSetName="filesystem")] | |
param | |
( | |
[Parameter(Mandatory=$true,ValueFromPipeline=$true)] | |
[Management.Automation.PSCredential] $Credential, | |
[Parameter(ParameterSetName="filesystem")] | |
[ValidateScript({ Test-Path -Path (Split-Path -Path $_) -PathType Container } )] | |
[string] $Path = $(Join-Path -Path (Get-Location) -ChildPath "encrypted.xml"), | |
[Parameter(Mandatory=$true,ParameterSetName="registry")] | |
[string] $RegistryPath, | |
[Parameter(Mandatory=$true,ParameterSetName="registry")] | |
[string] $Name, | |
[string] $KeyPhrase | |
) | |
process | |
{ | |
foreach ( $cred in $Credential ) | |
{ | |
# Create temporary object to be serialized to disk | |
$export = "" | Select-Object Username, EncryptedPassword | |
# Give object a type name which can be identified later | |
$export.PSObject.TypeNames.Insert(0,"ExportedPSCredential") | |
$export.Username = $Credential.Username | |
# Encrypt SecureString password using Data Protection API | |
# Only the current user account can decrypt this cipher unless a key is specified: | |
$params = @{} | |
if ( $KeyPhrase ) | |
{ | |
$params.Add("Key", (Get-EncryptionKey -KeyPhrase $KeyPhrase)) | |
} | |
$export.EncryptedPassword = $Credential.Password | ConvertFrom-SecureString @params | |
if ( $PSCmdlet.ParameterSetName -ieq "registry" ) | |
{ | |
# Export to registry | |
# Make sure the registry key exists: | |
if ( !(Test-Path -Path $RegistryPath) ) | |
{ | |
New-Item -Path $RegistryPath -Force | Out-Null | |
} | |
# Set/Update the credential in the registry store: | |
Set-ItemProperty -Path $RegistryPath -Name $Name -Value ("{0}:{1}" -f $export.UserName, $export.EncryptedPassword) -Force | |
} | |
else | |
{ | |
# Export using the Export-Clixml cmdlet | |
$export | Export-Clixml $Path | |
# Return FileInfo object referring to saved credentials | |
Get-Item -Path $Path | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment