将PSCredential保存在文件中 [英] save PSCredential in the file
问题描述
我知道可以将密码保存到文件:
I know I can save password to the file:
Read-Host "Enter Password" -AsSecureString | ConvertFrom-SecureString | Out-File $passwordfile
并从文件中读取:
$secpasswd = (Get-Content $passwordfile | ConvertTo-SecureString)
,然后创建PSCredential对象:
and then create PSCredential object:
$credential = New-Object System.Management.Automation.PSCredential($user, $secpasswd)
但是我可以在文件中保存$ credential吗,所以用户名和他的密码保存在一起?
But can I save $credential in the file, so username and his password were kept together?
推荐答案
在非Windows平台上更新
自从首次撰写此答案以来,发生了很多变化。 PowerShell的现代版本基于.net核心,并且可以跨平台运行。支持整个答案的基础类型称为 [securestring] ,支持它的安全性和加密来自Windows上的数据保护API(DPAPI),即不是开放源代码,并且无法使用跨平台。
Update on non-Windows Platforms
A lot has changed since this answer was first written. Modern versions of PowerShell are based on .net core, and run cross-platform. The underlying type that enables this whole answer is called [securestring] and the security and encryption that backs it comes from the Data Protection API (DPAPI) on Windows, which is not open source and not available cross-platform.
因此,尽管您可以在非Windows平台上使用相同的代码,但请注意,绝对不会有加密支持。
As such, while you can possibly use the same code here on non-Windows platforms, do note that there will be absolutely no encryption backing it.
tl; dr:请勿在非Windows平台上使用!
tl;dr: don't use this on non-Windows platforms!
要轻松存储和检索加密的凭据,请使用PowerShell的内置XML序列化(Clixml):
To store and retrieve encrypted credentials easily, use PowerShell's built-in XML serialization (Clixml):
$credential = Get-Credential
$credential | Export-CliXml -Path 'C:\My\Path\cred.xml'
到重新导入:
$credential = Import-CliXml -Path 'C:\My\Path\cred.xml'
要记住的重要一点是,默认情况下,它使用Windows数据保护API,并且密钥用于加密密码的密码特定于用户和运行代码的计算机。
The important thing to remember is that by default this uses the Windows data protection API, and the key used to encrypt the password is specific to both the user and the machine that the code is running under.
因此,加密的凭据不能由其他用户或同一用户在另一台计算机上导入。
As a result, the encrypted credential cannot be imported by a different user nor the same user on a different computer.
通过使用不同的运行用户和不同的计算机加密同一证书的多个版本,您可以具有供多个用户使用的相同机密。
By encrypting several versions of the same credential with different running users and on different computers, you can have the same secret available to multiple users.
通过将用户名和计算机名放在文件名中,可以以允许以下方式存储所有加密机密的方式:相同的代码即可使用它们而无需进行任何硬编码:
By putting the user and computer name in the file name, you can store all of the encrypted secrets in a way that allows for the same code to use them without hard coding anything:
# run as each user, and on each computer
$credential = Get-Credential
$credential | Export-CliXml -Path "C:\My\Secrets\myCred_${env:USERNAME}_${env:COMPUTERNAME}.xml"
使用存储的凭据的代码:
The code that uses the stored credentials:
$credential = Import-CliXml -Path "C:\My\Secrets\myCred_${env:USERNAME}_${env:COMPUTERNAME}.xml"
将为正在运行的用户自动加载正确版本的文件(否则将失败,因为该文件不存在)。
The correct version of the file for the running user will be loaded automatically (or it will fail because the file doesn't exist).
这篇关于将PSCredential保存在文件中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
