What is the difference between a secure string and an encrypted string?

You may be probably a little lost when you start working with Powershell cmdlets handling secure strings.
Indeed, one can think that ConvertFrom-SecureString gives you back what you entered with Read-Host -AsSecureString or ConvertTo-SecureString.

But that’s not the case!

Secure strings are helping to protect confidential text. The text is encrypted for privacy and is deleted from computer memory after it is used.

To better understand, let’s have a look at the description of the
ConvertTo-SecureString cmdlet.

The ConvertTo-SecureString cmdlet converts encrypted standard strings into secure strings.
It can also convert plain text to secure strings.
It is used with ConvertFrom-SecureString and Read-Host. 

The secure string created by the cmdlet can be used with cmdlets or functions that require a parameter of type SecureString.
The secure string can be converted back to an encrypted, standard string using the ConvertFrom-SecureString cmdlet.
This enables it to be stored in a file for later use.

The secure string is, in fact, an object of type System.Security.SecureString.

Its content is either a (standard) encrypted string which comes from a user’s input or a plaintext string converted to an encrypted string.

The secure string can be used with cmdlets or functions that require this type of object.

It can also be converted back to an encrypted, standard string (System.String) using the ConvertFrom-SecureString cmdlet which you can save to a file.

However, the ConvertFrom-SecureString cmdlet does not convert the secure string back to a human-readable plain text string.

The AsPlainText parameter

This parameter is only used to qualify the input of the ConvertTo-SecureString cmdlet.
However, it is immediately encrypted by the cmdlet.
For example:

Please note that in order to use to use the AsPlainText parameter, you must also specify the Force parameter.
Here is the explanation from the Get-Help cmdlet.

Confirms that you understand the implications of using the AsPlainText parameter and still want to use it.

Then why it is not secure to use the AsPlainText parameter?

It is not secure because everybody can read what you wrote. Either somebody near you or in your back or a malware on your computer can read the command line you just typed.
Or somebody or a malware car read the content of your script containing this command line with the plain text password.

More about

ConvertTo-SecureString (Microsoft Docs)

ConvertFrom-SecureString (Microsoft Docs)

Working with Passwords, Secure Strings and Credentials in Windows PowerShell (Microsoft Wiki)

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s