Did you know that just by using PowerShell you can create a secure password management tool that encrypts passwords stored on disk that are easily accessible? If not, you're in luck because I'll be revealing how to do it in this article!

Before we can begin actually creating a tool, we first need to get the basics down and understand how to store and retrieve a single password from this little tool we'll be building.

One way that PowerShell stores sensitive information on disk is through secure strings. Secure strings are just like they sound—simple strings encrypted via the logged-in user's certificate. Creating a secure string is easy using the ConvertTo-SecureString command.

Let's say I have a password and I need to encrypt it. I can prompt for input via the Read-Host command using the AsSecureString parameter, which will obfuscate my input and return a secure string.

Typing my password and hitting Enter returns nothing because I've stored the output to $securePassword, but by looking at that variable's value, it's clear my input is encrypted.

Encrypted string

Encrypted string

Once I have an encrypted string, I then need to save it to a file. Since I'll be using this code to build a tool, I'll come up with a clever naming convention for the file like .txt and store the encrypted text inside it.

I now have a password with a label (PayPal) stored securely on disk. At this point, I need to retrieve it from the file. To do this, I can use Get-Content to read the file and then create a PSCredential object from the secure string.

We now have a secure password, but we need to decrypt it somehow. This requires a bit of code juju this author doesn't quite understand, but it works!

We've now input a password, stored it securely on disk, read it, and decrypted it—the entire workflow. Now let's create a tool for this.

To build a PowerShell tool, you have to use some functions, and this situation is no different. We need to create functions to save the password and retrieve it. Two functions called Get-Password and Save-Password should do the trick!

Now that we've got PowerShell functions to receive password input, save it, read the password, and decrypt it using an identifier called Label, we can try it out!

Subscribe to 4sysops newsletter!

Using our password management tool

Using our password management tool

PowerShell toolmaking is highly customizable. You can do many different things with this example, but I hope this one gives you some great ideas to build your own password management tool in PowerShell!

  1. +1
    • Yep!

      is shorter than

      By the way, Adam himself wrote a good post about this method 😉


      In PowerShell, there are many ways to achieve our goals...


  2. Sreenivas kumar 2 years ago

    I can't use this method to call already encrypted password in diffrent system....

    Means, if i call to decrypt password in other system it won't work right...?

    Is there anyway that we can do this..?


  3. If you just use the ConvertTo-SecureString at its default, it's only used by that user on that system.  Is uses the Windows dataprotection API which generates a unique key for that user on that system.

    However, you can use -key or -securekey to encrypt the string with a known key.  Then you can reverse it with the ConvertFrom-SecureString with the same key or securekey, and it will not matter which system it is on.  But, then you are back to the same problem of using and storing that key securely.

    David F.


Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2021


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account