How to Securely store credentials with PowerShell

There are PowerShell scripts where you have to authenticate and store passwords in PowerShell. Sometimes, you want to get a credential prompt to fill in the credentials and get the script running. Another time, you want to automate the task and save the password securely in an encrypted format. In this article, you will learn how to securely store credentials with PowerShell.

Interactive vs. Non-Interactive

• Interactive method requires user interaction, such as prompting the user to input a username and password. It proceeds further when the necessary information is given.

• Non-interactive method does not require user input during script execution and typically rely on pre-configured settings, automated processes, or data provided in advance.

Important: Always fill in passwords securely, and never in plain text.

Store credentials in PowerShell for user interaction (interactive)

If you want the script to prompt for a username and password, follow the steps in one of the below methods.

Method 1. Get-Credential

1. Run the Get-Credential cmdlet to securely store your credentials in the $Creds variable

$Creds = Get-Credential

2. A Windows PowerShell credential request appears where you must fill in the credentials

3. Run the $Creds variable in PowerShell

$Creds

4. The output shows the username and the password shows as a secure string

UserName                       Password
--------                       --------
myusername System.Security.SecureString

Method 2. PSCredential

1. Run the below command to securely store your credentials in the $Creds variable

$Creds = [System.Management.Automation.PSCredential]::new((Read-Host -Prompt "Enter username"), (Read-Host -Prompt "Enter password" -AsSecureString))

2. Enter the username and password

Enter username: myusername
Enter password: ****************

3. Run the $Creds variable in PowerShell

$Creds

4. The output shows the username and the password shows as a secure string

UserName                       Password
--------                       --------
myusername System.Security.SecureString

This is excellent when you have a script that you run interactively, and you can input the credentials every time. But what if you are not behind the computer, and you want to automate the script with a scheduled task? Then, you have to use a different method.

Store credentials in PowerShell for automation (non-interactive)

To store the credentials on the system so it loads every time you run a PowerShell script, you need to follow the below steps:

1. Run the Get-Credential cmdlet to securely store your credentials in the $Creds variable

$Creds = Get-Credential

2. Enter your credentials
3. Export the credentials to an encrypted XML file

$Creds | Export-CliXml -Path "C:\creds\credential.xml"

Note: The Export-Clixml cmdlet encrypts credential objects by using the Windows Data Protection API. The encryption ensures that only your user account can decrypt the contents of the credential object. The exported CLIXML file can’t be used on a different computer or by a different user.

4. Navigate to the path and verify the XML file

5. Open the XML file and check that the password is encrypted

6. In your PowerShell script, you can now run the Import-Clixml cmdlet and point it to the path where the XML file is present so it loads the username and encrypted password

$Creds = Import-CliXml -Path "C:\creds\credential.xml"

That’s it!

Read more: Configure Exchange Online Certificate Based Authentication for unattended scripts »

Conclusion

You learned how to store credentials securely with PowerShell. There are different methods to save credentials in PowerShell. Check if it’s an interactive or a non-interactive script and apply the correct method. Always ensure the passwords are filled in securely and not in clear text.

Did you enjoy this article? You may also like How to connect to Microsoft Graph PowerShell. Don’t forget to follow us and share this article.