How does one securely handle passwords in a custom written PowerShell cmdlet?

Question

Assume I have a custom PowerShell Cmdlet that exports data and encrypts it using a password.

[Cmdlet(VerbsData.Export, \"SampleData\")]
public class ExportSample         


        

Answer 1

SecureString-Handling gives you a feeling to be a bit more secure, even if this is not the case. You can easily encrypt any SecureString like this...

$mrsh = [System.Runtime.InteropServices.Marshal]
$ptr  = $mrsh::SecureStringToBSTR($secureString)
$pass = $mrsh::PtrToStringAuto($ptr)

or even without marshalling just with a webclient-object like this...

$cred = Get-Credential
$web = [Net.WebClient]::new()
$web.Credentials = [System.Net.NetworkCredential]::new($cred.UserName,$cred.Password)
$pass = $web.Credentials.Password 

So, in sum neither the password nor the SecureString-Password should be stores permanently as a file or anything else. Make the lifetime of this information as short as possible - e.g. from entering the password till a cleanup of the password-variable and all its inherited variables like so:

Remove-Variable pass, cred, web -ea 0