header image

Secure Strings

Posted by: | February 20, 2010 | 2 Comments |

Secure Strings are a way to work with encrypted data – one of the common uses is to protect passwords used in scripts.  The way to use them may not be obvious at first sight.  I hope to clear some of the confusion around them in this post.

A common technique when asking for a password is to use Read-Host as follows

PS> $password = Read-Host "Pasword" -AsSecureString
Pasword: *********


The password you type is not displayed on screen.  If you examine $password we get this

PS> $password


PS> $password | gm

   TypeName: System.Security.SecureString

Name         MemberType Definition
—-         ———- ———-
AppendChar   Method     System.Void AppendChar(char c)
Clear        Method     System.Void Clear()
Copy         Method     System.Security.SecureString Copy()
Dispose      Method     System.Void Dispose()
Equals       Method     bool Equals(System.Object obj)
GetHashCode  Method     int GetHashCode()
GetType      Method     type GetType()
InsertAt     Method     System.Void InsertAt(int index, char c)
IsReadOnly   Method     bool IsReadOnly()
MakeReadOnly Method     System.Void MakeReadOnly()
RemoveAt     Method     System.Void RemoveAt(int index)
SetAt        Method     System.Void SetAt(int index, char c)
ToString     Method     string ToString()
Length       Property   System.Int32 Length {get;}


According to the .NET documentation

Represents text that should be kept confidential. The text is encrypted for privacy when being used, and deleted from computer memory when no longer needed. This class cannot be inherited.


We can also get to this point in another way

$password2 = ConvertTo-SecureString  -String "Password1"  -AsPlainText -Force


One draw back to secure strings is that we can’t save them in a file.  To do that we need to convert our secure string to an encrypted string using ConvertFrom-SecureString. We some options around the way we encrypt the string as the help file states:

If an encryption key is specified by using the Key or SecureKey parameters, the Rijndael encryption algorithm is used. The specified key must have a length of 128, 192, or 256 bits because those are the key lengths supported by the Rijndael encryption algorithm. If no key is specified, the Windows Data Protection API (DPAPI) is used to encrypt the standard string representation.

PS> $encrypted = ConvertFrom-SecureString -SecureString $password
PS> $encrypted


We can save our encrypted string directly to disk

ConvertFrom-SecureString -SecureString $password | Set-Content encrypted.txt

and view the contents by

Get-Content encrypted.txt

If we want to get our secure string back from disk

$secured = ConvertTo-SecureString -String $(Get-Content encrypted.txt)


If you do decide to use the Key or SecureKey parameters when encrypting\decrypting secure strings make sure you remember the key!!


Having got our secure string we need to use either to supply credentials or to use the password in another program

If we want to create a credential object to use with a PowerShell cmdlet for instance


PS> $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "userid", $secured

PS> $cred | ft -a

UserName                     Password
——–                     ——–
userid   System.Security.SecureString


If we need to use the password as plain text e.g. when setting an AD password or passing it into a command line utility that expects a plain text password we can access the password by using

PS> $cred.GetNetworkCredential().Password


Secure strings are useful to help key passwords and other sensitive data secure but we just need to be careful in how we use them.


Technorati Tags: ,
under: PowerShellV2


  1. By: Brice Burtch on May 1, 2012 at 9:06 am      

    This was really helpful. I’ve been trying to figure out how I might save an encrypted password to a file for later use in a script that makes a MySQL database connection. This makes it very clear. Thank a lot.

  2. By: Rodrigo on June 11, 2012 at 2:55 am      

    This is exactly what I was looikng for. I couldn’t get it to work though. Not sure if it was due to permissions as I couldn’t figure out how to or where to put the password (newbie). I didn’t get any errors, nothing happened though.Any suggestions?//sRc