Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Export A PowerShell Credential
function Export-PSCredential
{
<#
.SYNOPSIS
Exports a credential object into an XML file or registry value with an encrypted password. An important note is that the encrypted password can ONLY be read by the user who created the exported file
unless a passphrase is provided.
.PARAMETER Credential
Specifies the Credential to export to a file. Use Get-Credential to supply this.
.PARAMETER Path
Specifies the file to export to. Default is (CurrentDir)\encrypted.xml.
.PARAMETER RegistryPath
Specifies the path to the registry to export the credentials to. Use HKLM and HCKU for HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER respectively. Example: HKCU:\Software\Acme Inc\MyCredentials
.PARAMETER Name
Specifies the name of the registry value to store the credentials under. Only specify with RegistryPath.
.PARAMETER KeyPhrase
Specifies the key phrase to use to encrypt the password. If not specified, then a key derived from the user's account is used. This makes the password only decryptable by the user who encrypted it.
If a key is specified, then anybody with the key can decrypt it.
.EXAMPLE
PS> (Get-Credential bsti) | Export-PSCredential
# Encrypts the credential for username bsti and exports to the current directory as encrypted.xml
.EXAMPLE
PS> (Get-Credential bsti) | Export-PSCredential -Path C:\temp\mycreds.xml
# Encrypts the credential for username bsti and exports to the current directory as encrypted.xml
.EXAMPLE
PS> (Get-Credential bsti) | Export-PSCredential -RegistryPath "HKCU:\Software\Acme Inc\MyCreds" -Name "switch1"
# Encrypts the credential for username bsti and exports to the registry at the given path, under the value switch1.
.EXAMPLE
PS> (Get-Credential bsti) | Export-PSCredential -Path C:\temp\mycreds.xml -KeyPhrase "ThisisMyEncryptionPassword123"
# Encrypts the credential for username bsti and exports it to the filesystem. Anyone with the keyphrase can decrypt it.
.OUTPUTS
Returns the [System.IO.FileInfo] object representing file that was created or the path to the registry key the credentials were exported to.
#>
[CmdletBinding(SupportsShouldProcess=$true,DefaultParameterSetName="filesystem")]
param
(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
[Management.Automation.PSCredential] $Credential,
[Parameter(ParameterSetName="filesystem")]
[ValidateScript({ Test-Path -Path (Split-Path -Path $_) -PathType Container } )]
[string] $Path = $(Join-Path -Path (Get-Location) -ChildPath "encrypted.xml"),
[Parameter(Mandatory=$true,ParameterSetName="registry")]
[string] $RegistryPath,
[Parameter(Mandatory=$true,ParameterSetName="registry")]
[string] $Name,
[string] $KeyPhrase
)
process
{
foreach ( $cred in $Credential )
{
# Create temporary object to be serialized to disk
$export = "" | Select-Object Username, EncryptedPassword
# Give object a type name which can be identified later
$export.PSObject.TypeNames.Insert(0,"ExportedPSCredential")
$export.Username = $Credential.Username
# Encrypt SecureString password using Data Protection API
# Only the current user account can decrypt this cipher unless a key is specified:
$params = @{}
if ( $KeyPhrase )
{
$params.Add("Key", (Get-EncryptionKey -KeyPhrase $KeyPhrase))
}
$export.EncryptedPassword = $Credential.Password | ConvertFrom-SecureString @params
if ( $PSCmdlet.ParameterSetName -ieq "registry" )
{
# Export to registry
# Make sure the registry key exists:
if ( !(Test-Path -Path $RegistryPath) )
{
New-Item -Path $RegistryPath -Force | Out-Null
}
# Set/Update the credential in the registry store:
Set-ItemProperty -Path $RegistryPath -Name $Name -Value ("{0}:{1}" -f $export.UserName, $export.EncryptedPassword) -Force
}
else
{
# Export using the Export-Clixml cmdlet
$export | Export-Clixml $Path
# Return FileInfo object referring to saved credentials
Get-Item -Path $Path
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.