what it means when we say Encryption Key is unique for User and Machine

This topic contains 6 replies, has 3 voices, and was last updated by Profile photo of Kiran Chilledout Kiran Chilledout 6 months, 3 weeks ago.

  • Author
    Posts
  • #38981
    Profile photo of Kiran Chilledout
    Kiran Chilledout
    Participant

    I am following the book "PowerShell In Depth" and in Credentials topic I found this Line

    "When PowerShell performs that encryption, it does so using a locally
    stored encryption key. Move the script and password file to another machine and it
    won't work, because the local encryption key will be different"

    But when I tried to import the encrypted Password from another server but using the same file(Which was stored on my roaming profile) I can still decrypt the Password.

    So is the encryption key user dependent?

  • #38983
    Profile photo of Alex
    Alex
    Participant

    Hi Kiran,

    When using a encryption key it will work between machines. If you don't specify an encryption key it will not work between machines

    TechNet Convertto-SecuretString

    Let me know if that helps, I can go into more detail if you want 🙂

    Cheers.

  • #38987
    Profile photo of Kiran Chilledout
    Kiran Chilledout
    Participant

    Thank You Alex.I did not use -Key parameter but still was able to reproduce the Password in plain text that was in encrypted text format(Output of ConvertFrom-SecureString) between machines on same domain.
    However the file was stored in my Roaming Profile.

  • #38989
    Profile photo of Alex
    Alex
    Participant

    Hmm that is interesting.

    I wonder if it thinks its the same machines because its stored in your roaming profile.

    Would be one to test (I don't have a roaming profile setup here). Let me see if I can test by putting it in a share.

  • #38991
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    The encryption keys are stored in your user profile, so roaming profiles should be fine cross-machine. There's also an AD feature called Credential Roaming which can make this work without needing to use roaming profiles.

  • #38992
    Profile photo of Alex
    Alex
    Participant

    Thank you Dave, that is interesting. Something to keep a note of 🙂

  • #38993
    Profile photo of Kiran Chilledout
    Kiran Chilledout
    Participant

    Thank You Dave It makes sense to me know.
    Thank You Alex

You must be logged in to reply to this topic.