[PowerShell每日技巧]保存敏感数据(20140404)

DAIC

If you wanted to store sensitive data in a way that only you could retrieve it, you can use a funny approach: convert some plain text into a secure string, then convert the secure string back, and save it to disk:

1. $storage = "$env:temp\secretdata.txt"
   
2. $mysecret = 'Hello, I am safe.'
   
3. 
   
4. $mysecret |
   
5.   ConvertTo-SecureString -AsPlainText -Force |
   
6.   ConvertFrom-SecureString |
   
7.   Out-File -FilePath $storage

复制代码

Your secret was automatically encrypted by the built-in Windows data protection API (DPAPI), using your identity and your machine as encryption key. So only you (or any process that runs on your behalf) can decipher the secret again, and only on the machine where it was encrypted.

To get back the secret, try this:

1. $storage = "$env:temp\secretdata.txt"
   
2. $secureString = Get-Content -Path $storage |
   
3.   ConvertTo-SecureString
   
4. 
   
5. $ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode($secureString)
   
6. $mysecret = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($ptr)
   
7. 
   
8. $mysecret

复制代码

It works--you get back the exact same text that you encrypted before.

Now, try the same as someone else. You will see that any other user cannot decrypt the secret file. And you won't be able to, either, when you try it from a different machine.

http://powershell.com/cs/blogs/tips/archive/2014/04/04/storing-secret-data.aspx