Using PowerShell to Encrypt Secrets and Files

Today (technically yesterday) marks the release of PowerPass v3, the most refined version of the module to date. This new release includes double-key encryption where the secrets and files are encrypted with a key and the internal properties of the secrets are encrypted again with an ephemeral key, a key that is not stored anywhere, but rather generated at run-time based on the user’s operating environment. This enhancement was added with the intention to protect against in-memory attack vectors and it also adds yet another layer of protection to the data on disk.

Download PowerPass from Github

So why would anyone go about creating yet another security module for PowerShell? For one, it was a great programming exercise. It helped me learn more about encryption and security, concepts familiar to me, but with the added pressure of creating and supporting a tool for public use that was (1) turn-key, (2) well-documented, and (3) cross-platform. Encryption suites like the Windows Data Protection API are easy to use, but fail when applied to Linux or macOS because the operating system does not support them. AES algorithms, however, are available on every major operating system and provide durable protection against brute-force attack.

Encryption has always been a fascination of mine; using math to protect information from getting into the wrong hands. The latter half of my career brought me into a devops role where PowerShell became a go-to utility for automation. As my volume of clients grew, and modules I’d written for them grew as well, one common theme kept appearing: how can I get access to a set of credentials securely and without any user present at the time? So at the end of 2023 I created PowerPass, a module for PowerShell that encrypts secrets and files without requiring a password or any configuration at all, for that matter, nor elevated privileges (this is very important).

The concept that makes PowerPass possible is called the ephemeral key. Ephemeral keys are cryptographically-strong identifiers that are specific to the user session and cannot be “stolen” because they are not exportable because they are not stored anywhere, such as a file on disk. These keys are generated from components of the user environment. Encrypting a file with such a key and storing that file in the user’s profile directory provides a pretty reasonable level of security for storing sensitive information. Other popular tools like GnuPG follow this model, storing keys inside the user profile directory. This design limits exposure to only the operators or admins of the machine itself relying on the file system security native to the operating system to protect your secrets.

So if you find yourself wanting for a tool to store and recall secrets automatically without having to purchase an expensive system to do so, grab a copy of PowerPass and try it out. It’s released under the GPLv2 so it’s free to use, distribute and modify. I’ve done a lot of paid work over my career. It’s enjoyable to have time now to build tools for the community. Happy coding!