This module will securely store passwords in PowerShell with ease. I wrote this back in 2019 while working on replacing some Python code with PowerShell. Recently I needed to use this on another sever and found that it throws a key error.
Import-cliXml: Key not valid for use in specified state.
It makes sense but was something that I hadn’t thought about when initially writing the module.
To get past that issue I added two new methods. It’s a simple export to CSV on the original server and import of the CSV on the other server(s) to create the XML.
The base use of this module allows you store credentials, fetch, and delete and will keep passwords out of your scripts. You can find usage examples in the script itself and you can store passwords for databases, sftp, or Windows accounts.
Using This Module
Simply copy the code, save as PSVault.psm1 and place it where you store your modules or add it to the default PowerShell modules location. Then you should be able to import and use like any other module.
Secure Passwords PowerShell Module Code
PowerShell
x
322
322
1
<#2
.Synopsis3
PS-Vault.psm1: Simple password vault for PowerShell scripts.4
Author: Charles Nichols5
Updated: Sept. 2022 > Added ability to export and import to other servers.6
7
.Description8
Get, Set, and Delete passwords securely within PowerShell.9
10
Export-ExternalCredsFrom-CSV and Import-ExternalCredsFrom-CSV are work arounds11
where password files cannot be used on other machines or accounts where created12
on another machine. You can export from the source machine then import on13
new machine to move passwords.14
15
.Parameter Account16
The account associated with the password; also used to load the correct password.17
18
.Parameter Password19
The password.20
21
.Example22
# Add a PSCredential Object.23
Import-Module "E:\MyScripts\PS-Vault.psm1"24
$auth = Set-Creds -Account "MyAccount" -Password "MyPassword"25
26
.Example27
# Delete a PSCredential Object.28
Import-Module "E:\MyScripts\PS-Vault.psm1"29
Remove-Creds -Account "MyAccount"30
31
# Retrieve a PSCredential Object.32
Import-Module "E:\MyScripts\PS-Vault.psm1"33
$auth = Get-Creds -Account "MyAccount"34
35
# Get the password in plain text.36
Get-Password -SecurePassword $auth.Password37
38
.Author39
C. Nichols, 201940
#>41
42
# Set path to your secure storage location.43
$SafeStore = "E:\PSScripts\SecStore"44
45
<#46
.Synopsis47
Fetch a creditial by account name.48
49
.Description50
Get account auth data for use in scripts.51
52
.Parameter Account53
The account or ID used to extract an encrypted password.54
55
.Returns56
System.Management.Automation.PSCredential57
#>58
Function Get-Creds {59
Param(60
[parameter(Mandatory=$true)]61
[String]$Account62
)63
$Creds = $null64
$Store = "$SafeStore\$($Account).xml" 65
if (Test-Path -Path $Store) { 66
$Creds = Import-CliXml -Path $Store67
} else {68
Write-Host "File not found."69
}70
71
return $Creds72
}73
74
<#75
.Synopsis76
Store a creditial by account name.77
78
.Description79
Set account auth data for use in scripts.80
81
.Parameter Account82
The account name or ID.83
84
.Parameter $Password85
Password to be encrypted.86
87
.Output88
CliXml file.89
#>90
Function Set-Creds {91
Param(92
[parameter(Mandatory=$true)]93
[String]$Account,94
[parameter(Mandatory=$true)]95
[String]$Password96
)97
98
$Exists = Test-Path $SafeStore99
If (-not $Exists) {100
New-Item -ItemType directory -Path $SafeStore101
}102
103
$secPass = ConvertTo-SecureString $Password -AsPlainText -Force104
$Cred = New-Object System.Management.Automation.PSCredential ($Account, $secPass)105
$Store = "$SafeStore\$($Account).xml"106
107
$Cred | Export-CliXml -Path $Store108
}109
110
<#111
.Synopsis112
Store a creditial for any account.113
114
.Description115
Will display a user logon dialog and set the account auth data for use in scripts.116
Beneficial if you need to store a password for use in tasks or with an account you117
are not currently logged on with.118
119
.Output120
CliXml file.121
#>122
Function Set-CredsForSpecificAccount {123
Get-Credential | Export-CliXml -Path $SafeStore124
}125
126
<#127
.Synopsis128
Remove a creditial by account name.129
130
.Description131
This will remove the physical XML file from the server.132
133
.Parameter Account134
The account name or ID.135
136
.Output137
CliXml file.138
#>139
Function Remove-Creds {140
Param(141
[parameter(Mandatory=$true)]142
[String]$Account143
)144
145
$Store = "$SafeStore\$($Account).xml" 146
Remove-Item -Path $Store147
}148
149
<#150
.Synopsis151
Converts an encrypted SecureString to plain text.152
153
.Description154
Use if you need to verify or view a password stored155
as a SecureString.156
157
.Parameter SecurePassword158
Password as SecureString.159
160
.Output161
string162
#>163
Function Get-Password {164
Param(165
[parameter(Mandatory=$true)]166
[SecureString]$SecurePassword167
)168
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)169
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)170
}171
172
<#173
.Synopsis174
Creates a list of creds from another server.175
176
.Description177
Use if you need to grab all the passwords from one server to178
another. Passwords are encrypted to server as well as user account.179
This will remove the CSV file upon completion.180
181
.Parameter CSVPath182
Path to CSV.183
184
.Output185
CliXml (multiple)186
#>187
Function Import-ExternalCredsFromCSV {188
Param(189
[parameter(Mandatory=$true)]190
[String]$CSVPath191
)192
193
$StoreExists = Test-Path $SafeStore194
If (-not($StoreExists)) {195
New-Item -Path $BasePath -ItemType Directory196
}197
198
$BaseFile = "Plain_Text_Password_List_Export.csv"199
200
if ($CSVPath.ToLower().Contains(".csv")) {201
$BasePath = Split-Path $CSVPath -Parent202
$CSVPath = "{0}\{1}" -f $BasePath, $BaseFile203
} else {204
$CSVPath = "{0}\{1}" -f $CSVPath, $BaseFile205
}206
207
$RecCount = 0208
$FileCount = 0209
$CSVExists = Test-Path $CSVPath210
if ($CSVExists) {211
Get-Content -Path $CSVPath | ForEach-Object {212
213
$RecCount += 1214
215
$Parts = $_.Split(',')216
$Account = $Parts[0].Trim()217
$PAssword = $Parts[1].Trim()218
$secPass = ConvertTo-SecureString $Password -AsPlainText -Force219
$Cred = New-Object System.Management.Automation.PSCredential ($Account, $secPass)220
$Store = "$SafeStore\$($Account).xml"221
$Cred | Export-CliXml -Path $Store222
223
if (Test-Path -Path $Store) {224
$FileCount += 1225
}226
}227
} else {228
Write-Host "File not found: Invalid path."229
}230
231
if ($RecCount -eq $FileCount) {232
Remove-Item -Path $CSVPath233
} else {234
Write-Host "Record mismatch: Verify all accounts saved. Not removing export CSV. Please remove manually once corrected."235
}236
}237
238
<#239
.Synopsis240
Export a list of creds from current server.241
242
.Description243
Use if you need to grab all the passwords from one server to244
another. Passwords are encrypted to server as well as user account.245
This will create a list of unencrypted passwords for use with246
Import-ExternalCredsFromCSV.247
248
.Parameter CSVPath249
Path to CSV.250
251
.Output252
CSV253
#>254
Function Export-ExternalCredsToCSV {255
Param(256
[parameter(Mandatory=$true)]257
[String]$CSVPath258
)259
$ExportList = @()260
$Exists = Test-Path $SafeStore261
If ($Exists) {262
$FPath = "{0}\*" -f $SafeStore263
Get-ChildItem -Path $FPath -Include "*.xml" | ForEach-Object {264
$Creds = Import-CliXml -Path $_.FullName265
$Account = $Creds.UserName266
$Password = Get-Password -SecurePassword $Creds.Password267
$StrLine = "{0},{1}" -f $Account, $Password268
$ExportList += $StrLine269
}270
}271
$BaseFile = "Plain_Text_Password_List_Export.csv"272
273
if ($SafeStore.ToLower().Contains(".csv")) {274
$BasePath = Split-Path $SafeStore -Parent275
276
if (-not(Test-Path -Path $BasePath)) {277
New-Item -Path $BasePath -ItemType Directory278
}279
$CSVPath = "{0}\{1}" -f $BasePath, $BaseFile280
} else {281
$CSVPath = "{0}\{1}" -f $CSVPath, $BaseFile282
}283
284
$ExportList | Set-Content -Path $CSVPath285
}286
287
Export-ModuleMember -Function Get-Creds288
Export-ModuleMember -Function Set-Creds289
Export-ModuleMember -Function Set-CredsForSpecificAccount290
Export-ModuleMember -Function Remove-Creds291
Export-ModuleMember -Function Get-Password292
Export-ModuleMember -Function Import-ExternalCredsFromCSV293
Export-ModuleMember -Function Export-ExternalCredsToCSV294
295
<# Testing ...296
297
PS C:\Users\NICHOLSCD_x> using module "E:\PSScripts\PSModules\PS-Vault.psm1"298
299
PS C:\Users\NICHOLSCD_x> Set-Creds -Account "mohawke" -Password "P@ssw0rd"300
301
PS C:\Users\NICHOLSCD_x> $Auth = Get-Creds -Account "mohawke"302
303
PS C:\Users\NICHOLSCD_x> $Auth.GetType()304
305
IsPublic IsSerial Name BaseType 306
-------- -------- ---- -------- 307
True True PSCredential System.Object 308
309
PS C:\Users\NICHOLSCD_x> $Auth.UserName310
mohawke311
312
PS C:\Users\NICHOLSCD_x> Get-Password -SecurePassword $Auth.Password313
P@ssw0rd314
315
PS C:\Users\NICHOLSCD_x> Remove-Creds -Account "mohawke"316
317
# Export from one server then import to another. This should create a key on the new server.318
# ** You may need to run as the account that will be using the creds.319
320
PS C:\Users\NICHOLSCD_x> Export-ExternalCredsTo-CSV -CSVPath "E:\PSScripts\SecStore"321
PS C:\Users\NICHOLSCD_x> Import-ExternalCredsFrom-CSV -CSVPath "E:\PSScripts\SecStore"322
#>Hope this is useful to someone.
Tech. junkie, artist, coder, and supporter of open source.
