连接安全字符串 [英] Concatenating secure string
问题描述
在PowerShell中是否可以将安全字符串与变量和不安全字符串连接起来?
Is it possible to concatenate a secure string with variables and unsecure strings in PowerShell?
我有一个公式,用于我们独立环境(无域)中的本地管理员密码.我想将该公式的一部分安全地存储在文件中,然后将其转换为常规字符串,然后将其与另一个对象和另一个字符串连接起来以形成密码.
I have a formula that is used for local administrator passwords in our standalone environment (no domain). I would like to store part of that formula in a file securely, then get that, convert it to a regular string, and concatenate it with another object and another string to form the password.
我的目的不是在我将在一起的工作流程中以纯文本形式显示我们的公式.我还有其他想念的方式吗?太多的机器无法轻松地分别存储每个密码.
My intent is not to expose our formula in plain text in the workflow that I am putting together. Is there another way that I am missing? It's too many machines to easily store each password separately.
推荐答案
Credential objects allow you to decrypt a secure string (source):
PS C:\> $pw = 'bar' | ConvertTo-SecureString -AsPlainText -Force
PS C:\> $pw.GetType().FullName
System.Security.SecureString
PS C:\> $cred = New-Object Management.Automation.PSCredential 'foo', $pw
PS C:\> $cred.GetType().FullName
System.Management.Automation.PSCredential
PS C:\> $cred.UserName
foo
PS C:\> $cred.Password
System.Security.SecureString
PS C:\> $cred.GetNetworkCredential().Password
bar但是,安全字符串的加密密钥与创建安全字符串的用户和计算机绑定在一起,因此不能在另一台计算机上或另一位用户上使用.您可以解决此问题,但是这需要使用您生成的密钥对安全字符串进行加密,并且每当需要解密安全字符串时,该密钥就必须以纯文本(或纯字节)形式提供.哪一种会破坏首先加密它的目的.
However, the encryption key for the secure string is tied to the user and computer that created the secure string, so it's not usable on another computer or by another user. You can work around this, but that would require to encrypt the secure string with a key generated by you, and that key would have to be available in plain text (or rather plain bytes) whenever the secure string needs to be decrypted. Which kinda defeats the purpose of encrypting it in the first place.
最重要的是,如果您有足够的机器来麻烦地存储单独的密码,那么您也有足够的机器来认真考虑将其放入域中.
On top of that, if you have enough machines to make storing separate passwords a hassle, you also have enough machines to seriously consider putting them in a domain.
这篇关于连接安全字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
