You may be probably a little lost when you start working with Powershell cmdlets handling secure strings.
Indeed, one can think that
ConvertFrom-SecureString gives you back what you entered with
Read-Host -AsSecureString or
But that’s not the case!
Secure strings are helping to protect confidential text. The text is encrypted for privacy and is deleted from computer memory after it is used.
To better understand, let’s have a look at the description of the
The ConvertTo-SecureString cmdlet converts encrypted standard strings into secure strings. It can also convert plain text to secure strings. It is used with ConvertFrom-SecureString and Read-Host. The secure string created by the cmdlet can be used with cmdlets or functions that require a parameter of type SecureString. The secure string can be converted back to an encrypted, standard string using the ConvertFrom-SecureString cmdlet. This enables it to be stored in a file for later use.
The secure string is, in fact, an object of type System.Security.SecureString.
Its content is either a (standard) encrypted string which comes from a user’s input or a plaintext string converted to an encrypted string.
The secure string can be used with cmdlets or functions that require this type of object.
It can also be converted back to an encrypted, standard string (System.String) using the
ConvertFrom-SecureString cmdlet which you can save to a file.
ConvertFrom-SecureString cmdlet does not convert the secure string back to a human-readable plain text string.
The AsPlainText parameter
This parameter is only used to qualify the input of the
However, it is immediately encrypted by the cmdlet.
Please note that in order to use to use the AsPlainText parameter, you must also specify the Force parameter.
Here is the explanation from the
Confirms that you understand the implications of using the AsPlainText parameter and still want to use it.
Then why it is not secure to use the AsPlainText parameter?
It is not secure because everybody can read what you wrote. Either somebody near you or in your back or a malware on your computer can read the command line you just typed.
Or somebody or a malware car read the content of your script containing this command line with the plain text password.