Using Encrypting File System (EFS) to Protect Passwords

by Apr 3, 2014

If you absolutely need to hardcode passwords and other secrets into your scripts (which you should avoid for obvious reasons), then you might still be safe when you encrypt the script with the EFS (Encrypting File System). Encrypted scripts can only be read (and run) by the one that encrypted it, so this works only if you are running the script yourself, and if you are running it from your machine.

Here's an easy way of encrypting a PowerShell script:

# create some sample script
# replace path with some real-world existing script if you want
# and remove the line that creates the script
$path = "$env:temp\test.ps1"
"Write-Host 'I run only for my master.'" > $path

$file = Get-Item -Path $path

Once you run this, it will create a new PowerShell script in your temp folder that is encrypted by EFS (if you get an error message instead, then EFS might either not be available or disabled on your machine).

Once encrypted, the file will appear in green when viewed in Windows Explorer, and only you will be able to run it. No one else can even see the source code.

Note that in many corporate environments, EFS is set up with recovery keys that allow specific recovery personnel to decrypt files with a master key. If no such master key exists, once you lose your EFS certificate, even you will not be able to view or run the script anymore.

Twitter This Tip! ReTweet this Tip!