BrandonStiff/Export-PSCredential.ps1

## Export-PSCredential.ps1
function Export-PSCredential
{
  <#
    .SYNOPSIS
    Exports a credential object into an XML file or registry value with an encrypted password.  An important note is that the encrypted password can ONLY be read by the user who created the exported file
      unless a passphrase is provided.

    .PARAMETER Credential
    Specifies the Credential to export to a file.  Use Get-Credential to supply this.

    .PARAMETER Path
    Specifies the file to export to.  Default is (CurrentDir)\encrypted.xml.

    .PARAMETER RegistryPath
    Specifies the path to the registry to export the credentials to. Use HKLM and HCKU for HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER respectively.  Example:  HKCU:\Software\Acme Inc\MyCredentials

    .PARAMETER Name
    Specifies the name of the registry value to store the credentials under.  Only specify with RegistryPath.

    .PARAMETER KeyPhrase
    Specifies the key phrase to use to encrypt the password.  If not specified, then a key derived from the user's account is used.  This makes the password only decryptable by the user who encrypted it.
    If a key is specified, then anybody with the key can decrypt it.

    .EXAMPLE
    PS> (Get-Credential bsti) | Export-PSCredential
    #  Encrypts the credential for username bsti and exports to the current directory as encrypted.xml

    .EXAMPLE
    PS> (Get-Credential bsti) | Export-PSCredential -Path C:\temp\mycreds.xml
    #  Encrypts the credential for username bsti and exports to the current directory as encrypted.xml

    .EXAMPLE
    PS> (Get-Credential bsti) | Export-PSCredential -RegistryPath "HKCU:\Software\Acme Inc\MyCreds" -Name "switch1"
    #  Encrypts the credential for username bsti and exports to the registry at the given path, under the value switch1.

    .EXAMPLE
    PS> (Get-Credential bsti) | Export-PSCredential -Path C:\temp\mycreds.xml -KeyPhrase "ThisisMyEncryptionPassword123"
    #  Encrypts the credential for username bsti and exports it to the filesystem.  Anyone with the keyphrase can decrypt it.

    .OUTPUTS
    Returns the [System.IO.FileInfo] object representing file that was created or the path to the registry key the credentials were exported to.

  #>

  [CmdletBinding(SupportsShouldProcess=$true,DefaultParameterSetName="filesystem")]
  param
  (
    [Parameter(Mandatory=$true,ValueFromPipeline=$true)]
    [Management.Automation.PSCredential] $Credential,

    [Parameter(ParameterSetName="filesystem")]
    [ValidateScript({ Test-Path -Path (Split-Path -Path $_) -PathType Container } )]
    [string] $Path = $(Join-Path -Path (Get-Location) -ChildPath "encrypted.xml"),

    [Parameter(Mandatory=$true,ParameterSetName="registry")]
    [string] $RegistryPath,

    [Parameter(Mandatory=$true,ParameterSetName="registry")]
    [string] $Name,

    [string] $KeyPhrase
  )

  process
  {
    foreach ( $cred in $Credential )
    {
      # Create temporary object to be serialized to disk
      $export = "" | Select-Object Username, EncryptedPassword

      # Give object a type name which can be identified later
      $export.PSObject.TypeNames.Insert(0,"ExportedPSCredential")
      $export.Username = $Credential.Username

      # Encrypt SecureString password using Data Protection API
      # Only the current user account can decrypt this cipher unless a key is specified:

      $params = @{}
      if ( $KeyPhrase )
      {
        $params.Add("Key", (Get-EncryptionKey -KeyPhrase $KeyPhrase))
      }

      $export.EncryptedPassword = $Credential.Password | ConvertFrom-SecureString @params

      if ( $PSCmdlet.ParameterSetName -ieq "registry" )
      {
        #  Export to registry

        #  Make sure the registry key exists:
        if ( !(Test-Path -Path $RegistryPath) )
        {
          New-Item -Path $RegistryPath -Force | Out-Null
        }

        #  Set/Update the credential in the registry store:
        Set-ItemProperty -Path $RegistryPath -Name $Name -Value ("{0}:{1}" -f $export.UserName, $export.EncryptedPassword) -Force
      }
      else
      {
        # Export using the Export-Clixml cmdlet
        $export | Export-Clixml $Path

        # Return FileInfo object referring to saved credentials
        Get-Item -Path $Path
      }
    }
  }
}
	function Export-PSCredential
	{
	<#
	.SYNOPSIS
	Exports a credential object into an XML file or registry value with an encrypted password. An important note is that the encrypted password can ONLY be read by the user who created the exported file
	unless a passphrase is provided.

	.PARAMETER Credential
	Specifies the Credential to export to a file. Use Get-Credential to supply this.

	.PARAMETER Path
	Specifies the file to export to. Default is (CurrentDir)\encrypted.xml.

	.PARAMETER RegistryPath
	Specifies the path to the registry to export the credentials to. Use HKLM and HCKU for HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER respectively. Example: HKCU:\Software\Acme Inc\MyCredentials

	.PARAMETER Name
	Specifies the name of the registry value to store the credentials under. Only specify with RegistryPath.

	.PARAMETER KeyPhrase
	Specifies the key phrase to use to encrypt the password. If not specified, then a key derived from the user's account is used. This makes the password only decryptable by the user who encrypted it.
	If a key is specified, then anybody with the key can decrypt it.

	.EXAMPLE
	PS> (Get-Credential bsti) \| Export-PSCredential
	# Encrypts the credential for username bsti and exports to the current directory as encrypted.xml

	.EXAMPLE
	PS> (Get-Credential bsti) \| Export-PSCredential -Path C:\temp\mycreds.xml
	# Encrypts the credential for username bsti and exports to the current directory as encrypted.xml

	.EXAMPLE
	PS> (Get-Credential bsti) \| Export-PSCredential -RegistryPath "HKCU:\Software\Acme Inc\MyCreds" -Name "switch1"
	# Encrypts the credential for username bsti and exports to the registry at the given path, under the value switch1.

	.EXAMPLE
	PS> (Get-Credential bsti) \| Export-PSCredential -Path C:\temp\mycreds.xml -KeyPhrase "ThisisMyEncryptionPassword123"
	# Encrypts the credential for username bsti and exports it to the filesystem. Anyone with the keyphrase can decrypt it.

	.OUTPUTS
	Returns the [System.IO.FileInfo] object representing file that was created or the path to the registry key the credentials were exported to.

	#>

	[CmdletBinding(SupportsShouldProcess=$true,DefaultParameterSetName="filesystem")]
	param
	(
	[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
	[Management.Automation.PSCredential] $Credential,

	[Parameter(ParameterSetName="filesystem")]
	[ValidateScript({ Test-Path -Path (Split-Path -Path $_) -PathType Container } )]
	[string] $Path = $(Join-Path -Path (Get-Location) -ChildPath "encrypted.xml"),

	[Parameter(Mandatory=$true,ParameterSetName="registry")]
	[string] $RegistryPath,

	[Parameter(Mandatory=$true,ParameterSetName="registry")]
	[string] $Name,

	[string] $KeyPhrase
	)

	process
	{
	foreach ( $cred in $Credential )
	{
	# Create temporary object to be serialized to disk
	$export = "" \| Select-Object Username, EncryptedPassword

	# Give object a type name which can be identified later
	$export.PSObject.TypeNames.Insert(0,"ExportedPSCredential")
	$export.Username = $Credential.Username

	# Encrypt SecureString password using Data Protection API
	# Only the current user account can decrypt this cipher unless a key is specified:

	$params = @{}
	if ( $KeyPhrase )
	{
	$params.Add("Key", (Get-EncryptionKey -KeyPhrase $KeyPhrase))
	}

	$export.EncryptedPassword = $Credential.Password \| ConvertFrom-SecureString @params

	if ( $PSCmdlet.ParameterSetName -ieq "registry" )
	{
	# Export to registry

	# Make sure the registry key exists:
	if ( !(Test-Path -Path $RegistryPath) )
	{
	New-Item -Path $RegistryPath -Force \| Out-Null
	}

	# Set/Update the credential in the registry store:
	Set-ItemProperty -Path $RegistryPath -Name $Name -Value ("{0}:{1}" -f $export.UserName, $export.EncryptedPassword) -Force
	}
	else
	{
	# Export using the Export-Clixml cmdlet
	$export \| Export-Clixml $Path

	# Return FileInfo object referring to saved credentials
	Get-Item -Path $Path
	}
	}
	}
	}