gpg with powershell - passphrase security

Question

I'm using gnupg to encrypt and decrypt data via powershell script and the problem is, that I have passphrase in the code. It's propably not the best solution. Which is the best and secure way to provide passphrase to script? Thank you.

C:\"Program Files"\GNU\GnuPG\gpg2.exe --passphrase mypassphrase --batch --output C:\Z\$decrypted_file.xls --decrypt C:\_Zo\$encrypted_file

Answer 1

You can Crypt the passphrase or the password on the disk.

The following solution use computer as a user.

The following two scripts the securot framework .NET assembly.

For server computers, it's possible to protect the secret by the computer identity. This code use the fact that any people who can run code on the computer can access the password. So the passwword file can be shared accross the network, it can only be decoded by the server itself. You can add ACL to the password file for it to be read only by some group of users.

Crypting (must be done on the server computer) :

# Mandatory Framework .NET Assembly 
Add-Type -assembly System.Security

# String to Crypt
$passwordASCII = Read-Host -Prompt "Entrer le mot de passe"

# String to INT Array
$enc = [system.text.encoding]::Unicode
$clearPWD_ByteArray = $enc.GetBytes( $passwordASCII.tochararray())

# Crypting
$secLevel = [System.Security.Cryptography.DataProtectionScope]::LocalMachine
$bakCryptedPWD_ByteArray = [System.Security.Cryptography.ProtectedData]::Protect($clearPWD_ByteArray, $null, $secLevel)

# Store in Base 64 form
$B64PWD_ByteArray = [Convert]::ToBase64String($bakCryptedPWD_ByteArray)
Set-Content -LiteralPath c:\Temp\pass.txt -Value $B64PWD_ByteArray

DeCoding :

# Mandatory Framework .NET Assembly
Add-Type -assembly System.Security

# Getting from Base 64 storage
$resCryptedPWD_ByteArray = [Convert]::FromBase64String((Get-Content -LiteralPath c:\Temp\pass.txt))

# Decoding
$secLevel = [System.Security.Cryptography.DataProtectionScope]::LocalMachine
$clearPWD_ByteArray = [System.Security.Cryptography.ProtectedData]::Unprotect( $resCryptedPWD_ByteArray, $null, $secLevel )

# Dtring from int Array
$enc = [system.text.encoding]::Unicode
$enc.GetString($clearPWD_ByteArray)