What is the difference between a secure string and an encrypted string?

You may be probably a little lost when you start working with Powershell cmdlets handling secure strings.

Indeed, one can think that ConvertFrom-SecureString gives you back what you entered with Read-Host -AsSecureString or ConvertTo-SecureString.

But that’s not the case!

Secure strings are helping to protect confidential text. The text is encrypted for privacy and is deleted from computer memory after it is used.

To better understand, let’s have a look at the description of the ConvertTo-SecureString cmdlet.

The ConvertTo-SecureString cmdlet converts encrypted standard strings into secure strings.
It can also convert plain text to secure strings.
It is used with ConvertFrom-SecureString and Read-Host.

The secure string created by the cmdlet can be used with cmdlets or functions that require a parameter of type SecureString.
The secure string can be converted back to an encrypted, standard string using the ConvertFrom-SecureString cmdlet.
This enables it to be stored in a file for later use.

The secure string is, in fact, an object of type System.Security.SecureString.

Its content is either a (standard) encrypted string which comes from a user’s input or a plaintext string converted to an encrypted string.

The secure string can be used with cmdlets or functions that require this type of object.

It can also be converted back to an encrypted, standard string (System.String) using the ConvertFrom-SecureString cmdlet which you can save to a file.

However, the ConvertFrom-SecureString cmdlet does not convert the secure string back to a human-readable plain text string.

Secure String Plain Text Convert From

The AsPlainText parameter

This parameter is only used to qualify the input of the ConvertTo-SecureString cmdlet.

Yet, it is immediately encrypted by the cmdlet.

For example:

Please note that in order to use to use the AsPlainText parameter, you must also specify the Force parameter.

Here is the explanation from the Get-Help cmdlet.

Confirms that you understand the implications of using the AsPlainText parameter and still want to use it.

Then why it is not secure to use the AsPlainText parameter?

It is not secure because everybody can read what you wrote. Either somebody near you or in your back or a malware on your computer can read the command line you just typed.

Or somebody or a malware car read the content of your script containing this command line with the plain text password.