0

I am getting error when trying to bind argument to parameter ConvertTo-SecureString. Error refers to it as null.

CODE:

param (
    [string]$NewPassword
)
$key = "ThisIsMyEncryptionKey1234"
$encryptedPassword = ConvertTo-SecureString $NewPassword -Key $key
Set-ADAccountPassword -Identity $env:USERNAME -NewPassword $encryptedPassword -Reset
$path = "n:\logs\pwtracker.txt"
$encryptedPassword | ConvertFrom-SecureString | Out-File $path -Append

This is the error I am getting:

ConvertTo-SecureString : Cannot bind parameter 'Key'. Cannot convert value "ThisIsMyEncryptionKey1234" to type "System.Byte". Error:
"Input string was not in a correct format."
At line:1 char:63
+ $encryptedPassword = ConvertTo-SecureString $NewPassword -Key $key
+                                                               ~~~~
    + CategoryInfo          : InvalidArgument: (:) [ConvertTo-SecureString], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand
Olaf
  • 4,690
  • 2
  • 15
  • 23
JerryP
  • 1
  • 2
  • 1
    `-Key` expects a byte array not a string. Assuming `$key` is actually the key used to encrypt your password, then you need to tell us in which format did you stored it? Could it be base64? – Santiago Squarzon Mar 16 '23 at 00:37
  • Yes Key should be key to use encrypt that password. I am not sure what format UTF8 or base64 are for ad passwords? – JerryP Mar 16 '23 at 00:49
  • I not sure I understand your question. How can we know how it was decided to store that key? – Santiago Squarzon Mar 16 '23 at 01:05
  • I will be using hard coded key to encrypt password that I am storing in the text file. I don't think I explained that correctly. – JerryP Mar 16 '23 at 01:14
  • Right and how did you stored in the text file? Did you just store it as raw bytes? Did you encoded the bytes as base64 before storing it? Because I would like to assume your line of code `$key = "ThisIsMyEncryptionKey1234"` is not actually hardcoded right? You're reading the key from a file which we're currently not seeing – Santiago Squarzon Mar 16 '23 at 01:17
  • No, I didn't stored in the file. I have this wrong as you noted simple a string. I did some more digging and come up with this: $key = [System.Text.Encoding]::base64.GetBytes('&F)H@McQfTjWnZr4') , and so now this is the error You cannot call a method on a null-valued expression. At line:1 char:1 + $key = [System.Text.Encoding]::base64.GetBytes('&F)H@McQfTjWnZr4') + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull – JerryP Mar 16 '23 at 01:25
  • Here, look at this answer to give you an idea of how it works: https://stackoverflow.com/a/74935934/15339544 – Santiago Squarzon Mar 16 '23 at 01:27
  • Thanks for the link! Is there a way to use hardcoded key instead of creating one as they mentioned in the article? I don't need random keys just one that will encrypt password created? – JerryP Mar 16 '23 at 01:41
  • So why do you want to use a key to encrypt the passwords? Is this file "n:\logs\pwtracker.txt" supposed to be read by someone else than you? You can use a hardcoded key in your script but at that point mind as well store the passwords as plain text since what you're doing is not secure at all – Santiago Squarzon Mar 16 '23 at 01:43
  • Well that file should store all password that are changed. So I don't want other users to see plain text passwords. That's right. This is just for administrative purposes when we made changes of all password we get rid of that file. – JerryP Mar 16 '23 at 01:47
  • So what you should do, assuming the key is meant to be shared, use the method shown in the linked answer to generate a random byte array, then you can do `[System.Convert]::ToBase64String($bytes)` and store that key ideally in a vault, somewhere safe, after you have that key stored, in your script you can read it and do `$key = [System.Convert]::FromBase64String($storedKey)` and use it in your code. It should work after following those steps. – Santiago Squarzon Mar 16 '23 at 01:52

1 Answers1

0

##upd

 $NewPassword = read-host "password" -AsSecureString 

function GetKey(){
    
$AESKey = New-Object Byte[] 32
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey)
$AESKey



}
$SecPass = ConvertTo-SecureString $NewPassword -AsPlainText -Force    
$AESKey = GetKey
$AESKey | out-file "$PSScriptRoot\password_aes.key"

$encryptedPassword  = ConvertFrom-SecureString -SecureString $SecPass -Key $AESKey
$encryptedPassword | out-file "$PSScriptRoot\encryptedPassword.txt"

reverse decryption

$key = Get-Content "$PSScriptRoot\password_aes.key"
$SecPassString = $PSScriptRoot\encryptedPassword.txt"
$SecPass = $SecPassString | ConvertTo-SecureString -Key $key
rinat gadeev
  • 114
  • 4
  • I've tried this and got this error: ConvertTo-SecureString : Cannot bind argument to parameter 'String' because it is an empty string. At line:1 char:35 + $SecPass = ConvertTo-SecureString $NewPassword -AsPlainText -Force + ~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [ConvertTo-SecureString], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.Commands.ConvertToSecureStrin gCommand – JerryP Mar 16 '23 at 18:28
  • Also this is missing the whole Set-AdAccountPassword statement. – JerryP Mar 16 '23 at 18:34
  • @JerryP Are you serious? This is part of your script, you have exactly the same parameter. I thought you would embed my answer in your script. – rinat gadeev Mar 17 '23 at 03:17