0

Related to: https://learn.microsoft.com/en-us/powershell/module/bitlocker/unlock-bitlocker?view=windowsserver2022-ps

$SecureString = ConvertTo-SecureString "fjuksAS1337" -AsPlainText -Force
Unlock-BitLocker -MountPoint "E:" -Password $SecureString

That I want to use it in a .ps1 script file ( without ask for the user password ). The user is only me and it's on my home computer.

My question: Is it possible to replace "fjuksAS1337" by an Hash of "fjuksAS1337" or something less obvious than the literal text password in the script?

Thanks for your help!

boxdog
  • 7,894
  • 2
  • 18
  • 27
islogged
  • 9
  • 3
  • this series is probably what you're after: [How to encrypt credentials & secure passwords](https://www.pdq.com/blog/secure-password-with-powershell-encrypting-credentials-part-2/#convertto-securestring-and-convertfrom-securestring) – Abraham Zinala Apr 10 '23 at 12:29

2 Answers2

0

You could save your credentials into an xml file inside some folder where you have set permissions to read/modify only to you like

$path = Join-Path -Path $env:USERPROFILE -ChildPath "OnlyMeCanAccess\bitlocker.xml"
$cred = Get-Credential -UserName $env:USERNAME -Message 'Please enter your credentials'
$cred | Export-CliXml -Path $path -Force

Then in your script use it as

$path = Join-Path -Path $env:USERPROFILE -ChildPath "OnlyMeCanAccess\bitlocker.xml"
$cred = Import-Clixml -Path $path
Unlock-BitLocker -MountPoint "E:" -Password $cred.Password
Theo
  • 57,719
  • 8
  • 24
  • 41
0

It is not safe to keep credentials in script but you can use next scheme:

  1. Run PS console and execute next 4 commands.

1.1. Generate secure key for encryption (keep it). It is simple key example:

[byte[]] $key = (1..32)

1.2. Make secured string from your password:

$SecuredString = ConvertTo-SecureString -AsPlainText -Force -String "fjuksAS1337"

1.3. Make encrypted string using secure key:

$EncryptedString = ConvertFrom-SecureString -key $key -SecureString $SecuredString

1.4. Print and keep value of $EncryptedString:

76492d1116743f0423413b16050a5345MgB8ADQANgBLAGgAawBKADIANQBSADEAbABBAGEATgBrAHAASgBKAGcAZwBBAFEAPQA9AHwANwA2ADcAMQAzADcAOQBlAGEAZAA2AGMAMAAyADEANwBhAGIAYgBlADQAOABmAGEANABjADgAYQAzAGYAZAA2AGMAYgAxADUAMgA0ADAAMAAxADAAOQA5AGIAYwAxADQAOQAxADEANQAwADAAYQA1AGIAYgA0ADIAZAA5ADMANQA=

  1. Use encrypted password value in your script (1.4.):

    $EncryptedString = "76492d1116......ANQA="

  2. Use secure key in your script (1.1.):

    [byte[]] $key = (1..32)

  3. Make secured string in script:

    $SecuredString = ConvertTo-SecureString $EncryptedString -Key $key

  4. Use secured string in script:

    Unlock-BitLocker -MountPoint "E:" -Password $SecuredString

Daemon-5
  • 241
  • 1
  • 6