Powershell obfuscating plain text passwords

phoeneous

I have several sftp services running on multiple clients.  These services use powershell and winscp to grab their files.  At the moment the passwords are stored in plain text in the .ps1 file which I'd like to move away from.  Any suggestions on obfuscating/scrambling the passwords?  I understand that any savvy user could in turn decode them but the location of the scripts is locked down and the clients sign all sorts of confidentiality agreements.  Currently the quickest solution that I can think of is to simply encode them to base64 ahead of time, store the encoded password in the .ps1 file and call :FromBase64String before running the sftp script.  Thoughts? 

thomas_

I think what’s you’re looking for is a PScredential and the get-credential commandlet.  You have to convert the plaintext password into a securestring, this is a link i found on google:

https://blog.techsnips.io/how-to-create-a-pscredential-object-without-using-get-credential-in-powershell/

Only drawback it it’s still possible to read the password if you are on the same computer and logged in user.  There may be other caveats.

phoeneous

Thanks but that won't work.  The problem with our setup is that the service is installed on client boxes and once it's installed they have to manage it which means it can get moved to another box and installed under a different user.  I'll probably just encode with base64 first and then use a key to encode it again.  As long as the password isn't clearly noticeable then locking down the ps1 file is up to the client.

JDMurray

What happens when a password needs to be changed? How easy and scalable is it to do that in your system?

SteveLavoie

Make a web service so your script can retrieve their password centrally.  Encrypt your password with a customer's specific key.

Decrypt the password returned with the customer key, and you get your real password for your service. 

One of the advantage of this solution is that if you need to change your password, you don't need to change each customer's script. 

paul78

SteveLavoie said:

Make a web service so your script can retrieve their password centrally.  Encrypt your password with a customer's specific key.

Decrypt the password returned with the customer key, and you get your real password for your service. 

One of the advantage of this solution is that if you need to change your password, you don't need to change each customer's script. 

Isn't that just moving the problem? The script would still need to authenticate to the webservice. Or are you proposing using TLS-mutual auth with the webservice and client would need to submit CSRs to be signed by @phoeneous.

But I do like your suggestion, personally, I would just **** the use of SFTP if there's an option to use a webservice and I would use TLS-mutual auth to authenticate to a webservice to retrieve the files. And it addresses the issue raised by @JDMurray

phoeneous

JDMurray said:

What happens when a password needs to be changed? How easy and scalable is it to do that in your system?

That's a grey area right now since we manage the ftp account but the service runs on client machines.  At moment we'd have to get connected to client machines and manually update it which partially prompted this post.  I've been working on a simple console app that works with the powershell script and involves keys used to encrypt the password.  Thanks for all responses, I think I've got it from here.  Cheers.