无-AsPlainText -Force的ConvertTo-SecureString [英] ConvertTo-SecureString without -AsPlainText -Force

问题描述

PSScriptAnalyzer具有PSAvoidUsingConvertToSecureStringWithPlainText警告.这意味着使用以下代码将失败.

The PSScriptAnalyzer has a PSAvoidUsingConvertToSecureStringWithPlainText warning. Meaning that using the following code will fail.

$password = [System.Web.Security.Membership]::GeneratePassword(128,0)
$securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force
$configCredential = New-Object System.Management.Automation.PSCredential ($username,$securePassword)

但是，关于如何在没有-AsPlainText -Force选项的情况下将常规字符串转换为安全字符串的指导很少(/没有). (我确实了解了常规字符串的安全性)

However there is very little (/none) guidance on how convert a regular string into a secure string without the -AsPlainText -Force options. (I do understand the security implications of regular strings)

如何安全地实现以上/而不会激怒PSScriptAnalyzer(我不想抑制消息)

How can I achieve the above securely / without irking PSScriptAnalyzer (I'm not looking to suppress the message)

推荐答案

我不太清楚您要问的是什么，但是我会针对您对问题的不同解释给出答案.

I can't quite tell what you're asking, but I'll give answers for the different interpretations I have for your question.

您可以将常规字符串直接传递给构造函数，它将内部将其转换为SecureString.

You can pass a regular string directly to the constructor and it will convert it to a SecureString internally.

$password = [System.Web.Security.Membership]::GeneratePassword(128,0)
$configCredential = New-Object PSCredential ($username, $password)

但是，使用SecureString值的最佳实践是首先不要在明文中包含秘密值-必须使用-AsPlainText指定-Force的原因，以及可能也是为什么PSScriptAnalyzer规则首先存在的原因的地方，就是劝阻这种做法.如果您依靠SecureString的安全性来缓解威胁，则应遵循这种轻柔的强制措施，避免使用纯文本$password变量:

However, best practice when using SecureString values is to never have the secret value in plaintext in the first place - the reason you have to specify -Force with -AsPlainText, and probably also why the PSScriptAnalyzer rule exists in the first place, is to discourage this practice. If you rely on the security of the SecureString for threat mitigation, you should follow this gentle coercion by avoiding the plaintext $password variable:

$configCredential = New-Object PSCredential ($username, [System.Web.Security.Membership]::GeneratePassword(128,0))

如何在不触发或抑制PSScriptAnalyzer错误的情况下将字符串转换为安全字符串?"

如果您不关心凭证对象本身，而是想要一个不使用ConvertTo-SecureString的SecureString，则仍然可以(ab)使用PSCredential类来实现此目的.一个更易于阅读的示例:

"How can I convert a string to a secure string without tripping or suppressing PSScriptAnalyzer errors?"

If you don't care about the credential object itself, but want a SecureString without using ConvertTo-SecureString, you can still (ab)use the PSCredential class for this purpose. An easier to read example:

$password = [System.Web.Security.Membership]::GeneratePassword(128,0)
$configCredential = New-Object PSCredential ($username, $password)
$securePassword = $configCredential.Password

遵循最佳实践的一线做法:

A one-liner that follows best practices:

$securePassword = New-Object PSCredential ($username, [System.Web.Security.Membership]::GeneratePassword(128,0)) | Select-Object -ExpandProperty Password

您还可以将字符串分成多个字符，并将它们一个接一个地附加到SecureString上:

You can also divide a string into characters and append them to a SecureString one by one:

$securePassword = New-Object SecureString
foreach ($char in [System.Web.Security.Membership]::GeneratePassword(128,0).ToCharArray()) {
    $securePassword.AppendChar($char)
}

这篇关于无-AsPlainText -Force的ConvertTo-SecureString的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！