This blog has moved to http://ThePowerShellGuy.com
As I did say to you that I would look into it a bit more in last post :Get-credential and Decrypting a SecureString in MSH
I got al lot of help since then (basicly they worked it all out for me), so I just post some of it here :
First I got an Example of using Encryption in MSH from Lee Holmes in the NG:
$plainText = "Meet at dawn."
$plainBytes = $(new-object System.Text.ASCIIEncoding).GetBytes($plainText)
$rijndael = new-object System.Security.Cryptography.RijndaelManaged
$rijndael.Mode = "CBC"
$saltBytes = $(new-object System.Text.ASCIIEncoding).GetBytes("Salt")
$password = new-object `
$keyBytes = $password.GetBytes(32)
$ivBytes = $(new-object System.Text.ASCIIEncoding).GetBytes("iviviviviviviviv")
$encryptor = $rijndael.CreateEncryptor($keyBytes, $ivBytes)
$memoryStream = new-object System.IO.MemoryStream
$cryptoStream = new-object System.Security.Cryptography.CryptoStream `
$cryptoStream.Write($plainBytes, 0, $plainByetes.Length)
$cipherTextBytes = $memoryStream.ToArray()
$cipherText = [Convert]::ToBase64String($cipherTextBytes)
Lee Holmes [MSFT]
As this is using Rijndael not DPAPI it works with a Password.
then an example of In and exporting a Key in MSH using export-securestring, also posted by Lee Holmes in the NG :
MSH:31 C:\temp > ## Part 1: User embeds "Hello World" in a SecureString
MSH:32 C:\temp > $secureString = new-secureString
Enter secret: ***********
MSH:33 C:\temp >
MSH:33 C:\temp > ## ... and creates their secret key
MSH:34 C:\temp > $secureKey = new-secureString
Enter secret: ****************
MSH:35 C:\temp >
MSH:35 C:\temp > ## Then, they export it
MSH:36 C:\temp > $exported = export-secureString $secureString $secureKey
MSH:37 C:\temp > $exported
MSH:38 C:\temp >
MSH:38 C:\temp > ## Part 2: Another user imports that into another SecureString, using
MSH:39 C:\temp > ## the same key.
MSH:40 C:\temp > $imported = import-secureString $exported $secureKey
MSH:41 C:\temp >
MSH:41 C:\temp > ## Then, they extract the message from the SecureString
MSH:42 C:\temp > $ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($imported)
MSH:43 C:\temp > $message = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($ptr)
MSH:46 C:\temp >
MSH:46 C:\temp > ## This is it
MSH:47 C:\temp > $message
MSH:48 C:\temp >
I was testing this with DPAPI (Knowing it would not work, but as a test), and importing as another user, and got a strange Error (file not found), and got the second Example I promised to post as an answer ;-).
Also I got a Comment from Marcel on last post, with a nice tip about using get-credential and GetNetworkCredential to decrypt a securestring .
So thanks Marcel, for the tip,
and Lee for writing the examples for me and the rest of the Help.
PS new-securestring has no Key Option, (after I mentioned it in the NG, I got that "arrg, Ofcourse not"-feeling.) there is no use to it, so I kind of expected Lee's reaction LOL :
Lee Holmes :I'm not sure why you'd want a key for new-secureString. If you want to use a key, the export-secureString and import-secureString (with the key parameter) should do what you want.
/\/\o\/\/:Your right, I did think about that also (after my sleep), as the SecureString's purpose is different, it's in memory only(you need to export it anyway to get it out of your session). so only using DPAPI here makes sence