Store powershell credentials encrypted
Within powershell there is a object call PSCredential. This objects can be used to store and load credentials which can be used e.g. for connecting to a server, Storage, VMware, etc.
$credential = Get-Credential $credential | Export-CliXml -Path "C:\scripts\credential.xml"
If our script should run automatically we have to save this credentials to a file. With this little script it can be done. It creates an variable $credential and prompt us for the username and password. The password will be encrypted as a SecureString from Data Protection API (DPAPI). After this we exported this variable to an XML file to allow reading this easily into another script or command.
Importent is that the content of the file only can be decrypted by the current user. If I need this credentials for another account I have a little bit more work to do. In my case my Veeam Backup & Replication is running like all default installations in “Local System” context. If I want to store and use credentials within e.g. Pre-Job scripts, I have to store the credentials within this user context.
But the big question is how to do this?
I used PSExec for this because it can spawn a new process easily within another security context. I downloaded it and used this command to start a script with the two code lines above.
PsExec64.exe -i -s powershell.exe -ExecutionPolicy Unrestricted -Command "& 'C:\scripts\Save-Credential.ps1‘"
Now the credentials are encrypted with “Local System” and can be used with e.g. Backup and Replication for Pre- or Post-Job scripts.