Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function Export-PSCredential
- {
- <#
- .SYNOPSIS
- Exports a credential object into an XML file or registry value with an encrypted password. An important note is that the encrypted password can ONLY be read by the user who created the exported file
- unless a passphrase is provided.
- .PARAMETER Credential
- Specifies the Credential to export to a file. Use Get-Credential to supply this.
- .PARAMETER Path
- Specifies the file to export to. Default is (CurrentDir)\encrypted.xml.
- .PARAMETER RegistryPath
- Specifies the path to the registry to export the credentials to. Use HKLM and HCKU for HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER respectively. Example: HKCU:\Software\Acme Inc\MyCredentials
- .PARAMETER Name
- Specifies the name of the registry value to store the credentials under. Only specify with RegistryPath.
- .PARAMETER KeyPhrase
- Specifies the key phrase to use to encrypt the password. If not specified, then a key derived from the user's AD Account is used. This makes the password only decryptable by the user who encrypted it.
- If a key is specified, then anybody with the key can decrypt it.
- .EXAMPLE
- PS> (Get-Credential bsti) | Export-PSCredential
- # Encrypts the credential for username bsti and exports to the current directory as encrypted.xml
- .EXAMPLE
- PS> (Get-Credential bsti) | Export-PSCredential -Path C:\temp\mycreds.xml
- # Encrypts the credential for username bsti and exports to the current directory as encrypted.xml
- .EXAMPLE
- PS> (Get-Credential bsti) | Export-PSCredential -RegistryPath "HKCU:\Software\Acme Inc\MyCreds" -Name "switch1"
- # Encrypts the credential for username bsti and exports to the registry at the given path, under the value switch1.
- .EXAMPLE
- PS> (Get-Credential bsti) | Export-PSCredential -Path C:\temp\mycreds.xml -KeyPhrase "ThisisMyEncryptionPassword123"
- # Encrypts the credential for username bsti and exports it to the filesystem. Anyone with the keyphrase can decrypt it.
- .OUTPUTS
- Returns the [System.IO.FileInfo] object representing file that was created or the path to the registry key the credentials were exported to.
- #>
- [CmdletBinding(SupportsShouldProcess=$true,DefaultParameterSetName="filesystem")]
- param
- (
- [Parameter(Mandatory=$true,ValueFromPipeline=$true)]
- [Management.Automation.PSCredential] $Credential,
- [Parameter(ParameterSetName="filesystem")]
- [ValidateScript({ Test-Path -Path (Split-Path -Path $_) -PathType Container } )]
- [string] $Path = $(Join-Path -Path (Get-Location) -ChildPath "encrypted.xml"),
- [Parameter(Mandatory=$true,ParameterSetName="registry")]
- [string] $RegistryPath,
- [Parameter(Mandatory=$true,ParameterSetName="registry")]
- [string] $Name,
- [string] $KeyPhrase
- )
- process
- {
- foreach ( $cred in $Credential )
- {
- # Create temporary object to be serialized to disk
- $export = "" | Select-Object Username, EncryptedPassword
- # Give object a type name which can be identified later
- $export.PSObject.TypeNames.Insert(0,"ExportedPSCredential")
- $export.Username = $Credential.Username
- # Encrypt SecureString password using Data Protection API
- # Only the current user account can decrypt this cipher unless a key is specified:
- $params = @{}
- if ( $KeyPhrase )
- {
- $params.Add("Key", (Get-EncryptionKey -KeyPhrase $KeyPhrase))
- }
- $export.EncryptedPassword = $Credential.Password | ConvertFrom-SecureString @params
- if ( $PSCmdlet.ParameterSetName -ieq "registry" )
- {
- # Export to registry
- # Make sure the registry key exists:
- if ( !(Test-Path -Path $RegistryPath) )
- {
- New-Item -Path $RegistryPath -Force | Out-Null
- }
- # Set/Update the credential in the registry store:
- Set-ItemProperty -Path $RegistryPath -Name $Name -Value ("{0}:{1}" -f $export.UserName, $export.EncryptedPassword) -Force
- }
- else
- {
- # Export using the Export-Clixml cmdlet
- $export | Export-Clixml $Path
- # Return FileInfo object referring to saved credentials
- Get-Item -Path $Path
- }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement