Encrypting Code in a PowerShell Script (Tutorial)

PowerShell scripts can contain sensitive information you wouldn’t want to fall into the wrong hands. This tutorial, presented by Brien Posey, demonstrates how to encrypt individual lines of code within PowerShell scripts to keep sensitive data secure.

Subscribe to ITPro Today's YouTube channel for PowerShell tutorials and more.

The following video transcript has been edited for length and clarity.

Transcript:

Brien Posey: PowerShell scripts can be useful for automating tasks, but they also come with security risks. Scripts are stored in plain text and can contain sensitive information about your organization.

In this tutorial, I will show you a technique to encrypt specific lines of code within a PowerShell script. Doing so ensures any sensitive information remains hidden from view.

Let's take a look at how this works.

Manual Steps for Encrypting PowerShell Code

I'm starting by opening File Explorer, where I've already created several files. The first file is a simple script called HelloWorld.ps1. All it does is display the message “Hello World” on the screen. I'll execute it to show you. That's all this script does.

When I open my Hello World script, you can see it consists of a single line of code. Now, imagine that this code contains sensitive information about your organization's infrastructure. To secure it, we will encrypt the line.

Related:Putting the Windows Credential Manager To Work for PowerShell Security

Step 1: Save the code in a text file

First, I created a copy of the script and saved it as a .txt file. I named it HelloWorld.txt. If I open the file, you can see it's identical to the original script but stored as plain text.

Step 2: Encrypt the code

Next, I've created a PowerShell script called EncryptCode.ps1. It is a fairly simple four-line script.

The script starts by creating a variable called $Code to read the contents of HelloWorld.txt using Get-Content.

$Code = Get-Content C:ScriptsHelloWorld.txt

I'll run this into PowerShell. Although there's no visible output, we've loaded the contents into the $Code variable. Let's confirm by checking the variable. You can see that $Code is set to Write-Host ‘Hello World’.

Step 3: Convert to a secure string

The next line of code converts the content of the .txt file into a secure string. In doing so, it creates a variable called $CodeSecureString.

$CodeSecureString = ConvertTo-SecureString $Code -AsPlainText -Force

Let's manually run the command. Again, there is no visible output, but when we examine $CodeSecureString, we can see that it contains System.Security.SecureString. This means the contents are now encrypted and hidden.

Step 4: Convert to an encrypted string

We now convert the secure string into an encrypted string, storing the result in $Encrypted.

Related:How to Sign PowerShell Scripts: A Guide for IT Pros

$Encrypted = ConvertFrom-SecureString -SecureString $CodeSecureString

Let's run this line. When we view the contents of the $Encrypted variable, we can see it's now an encrypted string.

Step 5: Save the encrypted string file

Finally, we write this encrypted string out to a file using Out-File.

$Encrypted | Out-File -FilePath C:ScriptsEncrypted.txt

We now have a file named Encrypted.txt. If we open it, it contains the encrypted string. The file can safely store sensitive code.

Automating Encryption With a PowerShell Script

Although we ran each step manually, we can automate the process by running the EncryptCode.ps1 script.

Decrypt the Encrypted String

Now that we have an encrypted string, we must decrypt it to use the original command. I've prepared another script, RunCode.ps1, which contains the encrypted string in a variable called $Instructions.

$Instructions = “”

What I want to do is paste the encrypted string between these quotation marks.

To decrypt it, we need to convert it back to a secure string with ConvertTo-SecureString, then convert it back to plain text using a .NET method.

$Decrypt = $Instructions | ConvertTo-SecureString

$Code = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($Decrypt))

Finally, we use Invoke-Expression to execute the decrypted command:

Invoke-Expression $Code

Running RunCode.ps1 will display the "Hello World" message, except that the command that triggers it is encrypted in the script.

Conclusion

Obviously, Write-Host ‘Hello World’ isn't sensitive content by any stretch of the imagination, but imagine how useful this technique could be for encrypting passwords or server details. It is a great way of hiding code within your PowerShell script.

Related:PowerShell: How To Generate a Random Password (Revised Script)

So, that's how you encrypt and decrypt a command in a PowerShell script.