The vCommander® PowerShell module uses two-stage encryption to protect credentials used in scripts. The goal is to prevent exposure of plaintext passwords through workflow steps during script execution. In the first stage, passwords are RSA-encrypted with a machine key. The encryption process produces an encrypted credential key file which can be stored on disk. During script executions, the vCommander module is used to decrypt this key and re-encrypt the password in a form that can be stored in memory. The second stage uses a standard Windows function to receive the password securely without storing it in memory as clear text.

  • The encrypted accounts can be either domain or local users.
  • The machine key is persisted in the computer’s key store instead of the user profile store.
  • This machine-level RSA key container is available to all users that can login to a computer. NTFS access control lists (ACLs) on the server can be used to restrict access to the machine key.
  • The machine key is stored here: ..\Application Data\Microsoft\Crypto\RSA\.
  • Because the key is stored on the machine that generated the encrypted credentials file, encryption and decryption must be done on that same machine. Importing the RSA key container to a different machine is not covered in this article.

To encrypt your credentials:


  1. Open a PowerShell console/ISE as administrator.
  2. Import the vCommander module into PowerShell: 
    import-module vCommander

     

  3. If the user execution policy is set to Restricted, set it to Remote Signed with the following command: 
    Set-ExecutionPolicy RemoteSigned

     

  4. Encrypt your credentials into a file for storage on disk:  
    New-EncryptCredential -destFilePath "<file-path>"

    Make sure the destination directory exists. If the destination directory doesn’t exist, an error will be thrown. If the destination file exists, it will be overwritten. It’s best practice to give this file an .xml extension. For example: 

    New-EncryptCredential -destFilePath "C:\\Scripts\vcmdr_credential_key.xml"

     

  5. Enter the username and password for the account.


The credential is encrypted, and the resulting encrypted object is serialized into the specified file. Repeat the above steps for other credentials. Regenerate these files whenever the password changes.

To decrypt your credentials:

  1. Open a PowerShell console/ISE or your scripts.
  2. Import the vCommander module into PowerShell: 
    import-module VCommander

     

  3. If the user execution policy is set to Restricted, set it to Remote Signed with the following command: 
    Set-ExecutionPolicy RemoteSigned

     

  4. Decrypt your credentials from file: 
    New-DecryptCredential –keyFilePath "<file-path>"

     

  5. An error will be thrown if the file path is incorrect. For example:  
    $credential = New-DecryptCredential -keyFilePath "C:\\Scripts\vcmdr_credential_key.xml"

    The $credential variable is a PSCredential object containing your decrypted credentials.

  6. Repeat the above steps for other credentials.

The encryption process
  1. The credentials are acquired from the user via prompt as a SecureString (System.Security.SecureString).
  2. Using the PowerShell function ConvertFrom-SecureString, the password portion of this secure string is encrypted with AES using a 256 bit key. This key is contained in Security.psm1 and can be modified.
  3. An RSA machine key container is created, using the cryptographic service provider (CSP).
  4. The username and password from step 2 are encrypted and stored in the machine keystore, using the key created in step 3 with the Microsoft RSA crypto provider.
  5. The encrypted bytes are serialized to disk as XML.