Replace Encryption methods #32

New Issue

Closed

opened 2018-12-17 11:35:19 +01:00 by OCram85 · 0 comments

OCram85 commented 2018-12-17 11:35:19 +01:00

Owner

Copy Link

🔩

Due to PowerShell Core limits / issue we can't use ConvertFrom-SecureString to retrieve the passwords from the Credential Store for the Core variant of this module.

🥇 Alternate Password Encryption

A while ago I stumbled upon an interesting article about using certificates for encrypting the keys:

• Part1
• Part2

So unfortunately there is no Certificate PSProvider in for PowerShell Core. But luckily the used decrypt and encrypt methods are still available if we use the Get-PfxCertificate.

🔎 Protoyping

Meanwhile I plumbed up a quick prototype which evaluates this workflow:

1. Creating a self signed PFX certificate manually with openssl
2. Creating a secure string with the above mentioned procedure.
3. Transfering the encrypted string onto a windows machine
4. try to connect to a VMware vcenter using the SecureString

Encrypt

try {
    $secureString = 'This is my password.  There are many like it, but this one is mine.' | 
                    ConvertTo-SecureString -AsPlainText -Force  
    $key = New-Object byte[](32)
    $rng = [System.Security.Cryptography.RNGCryptoServiceProvider]::Create()
    $rng.GetBytes($key)
    $encryptedString = ConvertFrom-SecureString -SecureString $secureString -Key $key
    $cert = Get-PfxCertificate -FilePath './certificate.pfx'
    $encryptedKey = $cert.PublicKey.Key.Encrypt($key,[System.Security.Cryptography.RSAEncryptionPadding]::Pkcs1)
    $object = New-Object psobject -Property @{
        Key = $encryptedKey
        Payload = $encryptedString
    }
    $object | Export-Clixml './encryptionTest.xml'
}
finally {
    if ($null -ne $key) { [array]::Clear($key, 0, $key.Length) }
}

Decrypt

try {
    $object = Import-Clixml -Path './encryptionTest.xml'
    $cert = Get-PfxCertificate -FilePath './certificate.pfx'
    $key = $cert.PrivateKey.Decrypt($object.Key, [System.Security.Cryptography.RSAEncryptionPadding]::Pkcs1)
    $secureString = $object.Payload | ConvertTo-SecureString -Key $key
    Import-Module -Name Vmware*
    $creds = [PSCredential]::new('myUser', $SecureString)
    Connect-VIServer -Server 'vcenter01' -Credential $creds
    Get-VM -Name 'testvm'
}
finally {
    if ($null -ne $key) { [array]::Clear($key, 0, $key.Length) }
}

Credits

• Already a huge thanks to @dlwyatt for the template and inspiration!

## :nut_and_bolt: Due to [PowerShell Core limits / issue](https://github.com/PowerShell/PowerShell/issues/1654) we can't use `ConvertFrom-SecureString` to retrieve the passwords from the _Credential Store_ for the Core variant of this module. ## :1st_place_medal: Alternate Password Encryption A while ago I stumbled upon an interesting article about using certificates for encrypting the keys: - [Part1](https://powershell.org/2013/11/24/saving-passwords-and-preventing-other-processes-from-decrypting-them/) - [Part2](https://powershell.org/2014/02/01/revisited-powershell-and-encryption/) So unfortunately there is no `Certificate PSProvider` in for PowerShell Core. But luckily the used `decrypt` and `encrypt` methods are still available if we use the `Get-PfxCertificate`. ## :mag_right: Protoyping Meanwhile I plumbed up a quick prototype which evaluates this workflow: 1. Creating a self signed PFX certificate manually with `openssl` 2. Creating a secure string with the above mentioned procedure. 3. Transfering the encrypted string onto a windows machine 4. try to connect to a VMware vcenter using the SecureString ### Encrypt ```powershell try { $secureString = 'This is my password. There are many like it, but this one is mine.' | ConvertTo-SecureString -AsPlainText -Force $key = New-Object byte[](32) $rng = [System.Security.Cryptography.RNGCryptoServiceProvider]::Create() $rng.GetBytes($key) $encryptedString = ConvertFrom-SecureString -SecureString $secureString -Key $key $cert = Get-PfxCertificate -FilePath './certificate.pfx' $encryptedKey = $cert.PublicKey.Key.Encrypt($key,[System.Security.Cryptography.RSAEncryptionPadding]::Pkcs1) $object = New-Object psobject -Property @{ Key = $encryptedKey Payload = $encryptedString } $object | Export-Clixml './encryptionTest.xml' } finally { if ($null -ne $key) { [array]::Clear($key, 0, $key.Length) } } ``` ### Decrypt ```powershell try { $object = Import-Clixml -Path './encryptionTest.xml' $cert = Get-PfxCertificate -FilePath './certificate.pfx' $key = $cert.PrivateKey.Decrypt($object.Key, [System.Security.Cryptography.RSAEncryptionPadding]::Pkcs1) $secureString = $object.Payload | ConvertTo-SecureString -Key $key Import-Module -Name Vmware* $creds = [PSCredential]::new('myUser', $SecureString) Connect-VIServer -Server 'vcenter01' -Credential $creds Get-VM -Name 'testvm' } finally { if ($null -ne $key) { [array]::Clear($key, 0, $key.Length) } } ``` ## Credits - Already a huge thanks to @dlwyatt for the template and inspiration!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

No results found.

v1.1.1-rc1

v1.1.0

v1.1.0-dev9

v1.1.0-dev8

v1.1.0-dev7

v1.1.0-dev6

v1.1.0-dev5

v1.1.0-dev4

v1.1.0-dev3

v1.1.0-dev2

v1.1.0-alpha1

v1.1.0-dev1

1.0.548

1.0.477

1.0.467

0.5.428

0.5.391

0.5.377

0.2.3.199

0.2.2.194

0.2.1.182

0.2.1.178

0.2.1.138

0.2.0.81

0.2.0.78

0.1.68

0.1.51

0.1.50

0.1.47

Labels

Clear labels

bug

Something is not working

docs

Changes related to the docs output

duplicate

This issue or pull request already exists

enhancement

New feature

feature

Adds a new feature

help wanted

Need some help

invalid

Something is wrong

meta

Changes related to general project files

question

More information is needed

wontfix

This won't be fixed

No Label

bug

enhancement

Milestone

No items

No Milestone PowerShell Core Support

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: OCram85/PSCredentialStore#32

No description provided.