Hello,
I have used the following code to store an encrypted string. Note, UserA is not the user logged on but rather the user that was used to run PowerShell (i.e. RunAs).
PS C:\Users\Administrator> whoami testdomain\userA PS C:\Users\Administrator> $string = Read-Host -Prompt Enter String -AsSecureString | ConvertFrom-SecureString | Set-Content c:\encString.txt
After having read up on the DPAPI it's my understanding that the key used for encryption is UserAs logon credential. When I then run PowerShell under UserB's context (i.e. RunAs) and try pull in the encrypted string I receive the expected error seen below.
PS C:\Users\Administrator> whoami testdomain\userB PS C:\Users\Administrator> $UserAEncString = Get-Content c:\encString.txt | ConvertTo-SecureString ConvertTo-SecureString : Key not valid for use in specified state. At line:1 char:47 + $UserAEncString = Get-Content c:\encString.txt | ConvertTo-SecureString + ~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicException + FullyQualifiedErrorId : ImportSecureString_InvalidArgument_CryptographicError,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand
This is obviously normal because UserB's logon credential is different than UserA's. I'm looking for clarification / confirmation that the only user that will be able to leverage the encrypted string in a credential is UserA. An example of what I mean by leverage a credential is listed below.
PS C:\Users\Administrator> whoami testdomain\userA PS C:\Users\Administrator> $UserAEncString = Get-Content c:\encString.txt | ConvertTo-SecureString PS C:\Users\Administrator> $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList 'MyUser',$encStringThanks!
- Edited by Joey Piccola Friday, January 30, 2015 10:31 PM