This blog has moved to http://ThePowerShellGuy.com
Greetings /\/\o\/\/
As I did say to you that I would look into it a bit more in last post :
Get-credential and Decrypting a SecureString in MSH I got al lot of help since then (basicly they worked it all out for me), so I just post some of it here :
First I got an Example of using Encryption in MSH from Lee Holmes in the NG:
$plainText = "Meet at dawn."
$plainBytes = $(new-object System.Text.ASCIIEncoding).GetBytes($plainText)
$rijndael = new-object System.Security.Cryptography.RijndaelManaged
$rijndael.Mode = "CBC"
$saltBytes = $(new-object System.Text.ASCIIEncoding).GetBytes("Salt")
$password = new-object `
System.Security.Cryptography.PasswordDeriveBytes "PassPhrase",$saltBytes,"SHA1",2
$keyBytes = $password.GetBytes(32)
$ivBytes = $(new-object System.Text.ASCIIEncoding).GetBytes("iviviviviviviviv")
$encryptor = $rijndael.CreateEncryptor($keyBytes, $ivBytes)
$memoryStream = new-object System.IO.MemoryStream
$cryptoStream = new-object System.Security.Cryptography.CryptoStream `
$memoryStream,$encryptor,"Write"
$cryptoStream.Write($plainBytes, 0, $plainByetes.Length)
$cryptoStream.FlushFinalBlock()
$cipherTextBytes = $memoryStream.ToArray()
$memoryStream.Close()
$cryptoStream.Close()
$cipherText = [Convert]::ToBase64String($cipherTextBytes)
$cipherText
Lee Holmes [MSFT]
As this is using Rijndael not DPAPI it works with a Password.
then an example of In and exporting a Key in MSH using export-securestring, also posted by Lee Holmes in the NG :
MSH:31 C:\temp > ## Part 1: User embeds "Hello World" in a SecureString
MSH:32 C:\temp > $secureString = new-secureString
Enter secret: ***********
MSH:33 C:\temp >
MSH:33 C:\temp > ## ... and creates their secret key
MSH:34 C:\temp > $secureKey = new-secureString
Enter secret: ****************
MSH:35 C:\temp >
MSH:35 C:\temp > ## Then, they export it
MSH:36 C:\temp > $exported = export-secureString $secureString $secureKey
MSH:37 C:\temp > $exported
6f5285124d9aee83fa37c64444f30f22c0d4577f9a6c6017d8feb3fa2803c65d
MSH:38 C:\temp >
MSH:38 C:\temp > ## Part 2: Another user imports that into another SecureString, using
MSH:39 C:\temp > ## the same key.
MSH:40 C:\temp > $imported = import-secureString $exported $secureKey
MSH:41 C:\temp >
MSH:41 C:\temp > ## Then, they extract the message from the SecureString
MSH:42 C:\temp > $ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($imported)
MSH:43 C:\temp > $message = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($ptr)
MSH:46 C:\temp >
MSH:46 C:\temp > ## This is it
MSH:47 C:\temp > $message
Hello World
MSH:48 C:\temp >
I was testing this with DPAPI (Knowing it would not work, but as a test), and importing as another user, and got a strange Error (file not found), and got the second Example I promised to post as an answer ;-).
Also I got a Comment from Marcel on last post, with a nice tip about using get-credential and GetNetworkCredential to decrypt a securestring .
So thanks Marcel, for the tip,
and Lee for writing the examples for me and the rest of the Help.
gr /\/\o\/\/
PS new-securestring has no Key Option, (after I mentioned it in the NG, I got that "arrg, Ofcourse not"-feeling.) there is no use to it, so I kind of expected Lee's reaction LOL :
Lee Holmes :
I'm not sure why you'd want a key for new-secureString. If you want to use a key, the export-secureString and import-secureString (with the key parameter) should do what you want./\/\o\/\/:
Your right, I did think about that also (after my sleep), as the SecureString's purpose is different, it's in memory only(you need to export it anyway to get it out of your session). so only using DPAPI here makes sence ;-)