3

I'm using gnupg to encrypt and decrypt data via powershell script and the problem is, that I have passphrase in the code. It's propably not the best solution. Which is the best and secure way to provide passphrase to script? Thank you.

C:\"Program Files"\GNU\GnuPG\gpg2.exe --passphrase mypassphrase --batch --output C:\Z\$decrypted_file.xls --decrypt C:\_Zo\$encrypted_file
Improve this question

1 Answer 1

Reset to default
4

You can Crypt the passphrase or the password on the disk.

The following solution use computer as a user.

The following two scripts the securot framework .NET assembly.

For server computers, it's possible to protect the secret by the computer identity. This code use the fact that any people who can run code on the computer can access the password. So the passwword file can be shared accross the network, it can only be decoded by the server itself. You can add ACL to the password file for it to be read only by some group of users.

Crypting (must be done on the server computer) :

# Mandatory Framework .NET Assembly Add-Type -assembly System.Security # String to Crypt $passwordASCII = Read-Host -Prompt "Entrer le mot de passe" # String to INT Array $enc = [system.text.encoding]::Unicode $clearPWD_ByteArray = $enc.GetBytes( $passwordASCII.tochararray()) # Crypting $secLevel = [System.Security.Cryptography.DataProtectionScope]::LocalMachine $bakCryptedPWD_ByteArray = [System.Security.Cryptography.ProtectedData]::Protect($clearPWD_ByteArray, $null, $secLevel) # Store in Base 64 form $B64PWD_ByteArray = [Convert]::ToBase64String($bakCryptedPWD_ByteArray) Set-Content -LiteralPath c:\Temp\pass.txt -Value $B64PWD_ByteArray

DeCoding :

# Mandatory Framework .NET Assembly Add-Type -assembly System.Security # Getting from Base 64 storage $resCryptedPWD_ByteArray = [Convert]::FromBase64String((Get-Content -LiteralPath c:\Temp\pass.txt)) # Decoding $secLevel = [System.Security.Cryptography.DataProtectionScope]::LocalMachine $clearPWD_ByteArray = [System.Security.Cryptography.ProtectedData]::Unprotect( $resCryptedPWD_ByteArray, $null, $secLevel ) # Dtring from int Array $enc = [system.text.encoding]::Unicode $enc.GetString($clearPWD_ByteArray)
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you, JPBlanc. If I understand right, I encrypt the passphrase once and the decoding part include into my script. I've tested it and it works fine, but I can not figure out which variable holds the decoded passphrase to use it in my gpg2.exe parameters.
OK, I've solved it. I have include the decoding part into my script and use $end.GetString($clearPWD_ByteArray) as passphrase. Please confirm if this method is right(secure). Thanks.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.