将 PSCredential 保存在文件中 [英] save PSCredential in the file
问题描述
我知道我可以将密码保存到文件中:
I know I can save password to the file:
Read-Host "Enter Password" -AsSecureString | ConvertFrom-SecureString | Out-File $passwordfile
并从文件中读取:
$secpasswd = (Get-Content $passwordfile | ConvertTo-SecureString)
然后创建 PSCredential 对象:
and then create PSCredential object:
$credential = New-Object System.Management.Automation.PSCredential($user, $secpasswd)
但是我可以将 $credential 保存在文件中,以便将用户名和他的密码保存在一起吗?
But can I save $credential in the file, so username and his password were kept together?
推荐答案
非 Windows 平台上的更新
自从第一次写这个答案以来,已经发生了很多变化.现代版本的 PowerShell 基于 .net 核心,并跨平台运行.支持整个答案的底层类型称为 [securestring],支持它的安全性和加密来自 Windows 上的数据保护 API (DPAPI),它不是开源的em> 并且不能跨平台使用.
Update on non-Windows Platforms
A lot has changed since this answer was first written. Modern versions of PowerShell are based on .net core, and run cross-platform. The underlying type that enables this whole answer is called [securestring] and the security and encryption that backs it comes from the Data Protection API (DPAPI) on Windows, which is not open source and not available cross-platform.
因此,虽然您可以在非 Windows 平台上使用相同的代码,但请注意绝对没有加密支持.
As such, while you can possibly use the same code here on non-Windows platforms, do note that there will be absolutely no encryption backing it.
tl;dr:不要在非 Windows 平台上使用它!
tl;dr: don't use this on non-Windows platforms!
要轻松存储和检索加密凭据,请使用 PowerShell 的内置 XML 序列化 (Clixml):
To store and retrieve encrypted credentials easily, use PowerShell's built-in XML serialization (Clixml):
$credential = Get-Credential
$credential | Export-CliXml -Path 'C:MyPathcred.xml'
重新导入:
$credential = Import-CliXml -Path 'C:MyPathcred.xml'
要记住的重要一点是,默认情况下,它使用 Windows 数据保护 API,用于加密密码的密钥特定于 用户和运行代码的机器.
The important thing to remember is that by default this uses the Windows data protection API, and the key used to encrypt the password is specific to both the user and the machine that the code is running under.
因此,加密凭据无法由不同用户或不同计算机上的同一用户导入.
As a result, the encrypted credential cannot be imported by a different user nor the same user on a different computer.
通过在不同的运行用户和不同的计算机上对同一凭据的多个版本进行加密,您可以将相同的秘密提供给多个用户.
By encrypting several versions of the same credential with different running users and on different computers, you can have the same secret available to multiple users.
通过将用户名和计算机名放在文件名中,您可以以允许相同代码使用它们而无需硬编码任何内容的方式存储所有加密的秘密:
By putting the user and computer name in the file name, you can store all of the encrypted secrets in a way that allows for the same code to use them without hard coding anything:
# run as each user, and on each computer
$credential = Get-Credential
$credential | Export-CliXml -Path "C:MySecretsmyCred_${env:USERNAME}_${env:COMPUTERNAME}.xml"
使用存储凭据的代码:
$credential = Import-CliXml -Path "C:MySecretsmyCred_${env:USERNAME}_${env:COMPUTERNAME}.xml"
将自动加载运行用户的正确版本的文件(否则会因为文件不存在而失败).
The correct version of the file for the running user will be loaded automatically (or it will fail because the file doesn't exist).
这篇关于将 PSCredential 保存在文件中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
