Export (0) Print
Expand All

ConvertFrom-SecureString

Updated: May 7, 2014

Applies To: Windows PowerShell 4.0

ConvertFrom-SecureString

Converts a secure string into an encrypted standard string.

Syntax

Parameter Set: Secure
ConvertFrom-SecureString [-SecureString] <SecureString> [[-SecureKey] <SecureString> ] [ <CommonParameters>]

Parameter Set: Open
ConvertFrom-SecureString [-SecureString] <SecureString> [-Key <Byte[]> ] [ <CommonParameters>]




Detailed Description

The ConvertFrom-SecureString cmdlet converts a secure string (System.Security.SecureString) into an encrypted standard string (System.String). Unlike a secure string, an encrypted standard string can be saved in a file for later use. The encrypted standard string can be converted back to its secure string format by using the ConvertTo-SecureString cmdlet.

If an encryption key is specified by using the Key or SecureKey parameters, the Advanced Encryption Standard (AES) encryption algorithm is used. The specified key must have a length of 128, 192, or 256 bits because those are the key lengths supported by the AES encryption algorithm. If no key is specified, the Windows Data Protection API (DPAPI) is used to encrypt the standard string representation.

Parameters

-Key<Byte[]>

Specifies the encryption key as a byte array.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-SecureKey<SecureString>

Specifies the encryption key as a secure string. The secure string value is converted to a byte array before being used as the key.


Aliases

none

Required?

false

Position?

2

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-SecureString<SecureString>

Specifies the secure string to convert to an encrypted standard string.


Aliases

none

Required?

true

Position?

1

Default Value

none

Accept Pipeline Input?

true (ByValue)

Accept Wildcard Characters?

false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see  about_CommonParameters (http://go.microsoft.com/fwlink/p/?LinkID=113216).

Inputs

The input type is the type of the objects that you can pipe to the cmdlet.

  • System.Security.SecureString

    You can pipe a SecureString object to ConvertFrom-SecureString.


Outputs

The output type is the type of the objects that the cmdlet emits.

  • System.String

    ConvertFrom-SecureString returns a standard string object.


Notes

  • To create a secure string from characters that are typed at the command prompt, use the AsSecureString parameter of the Read-Host cmdlet.

    When you use the Key or SecureKey parameters to specify a key, the key length must be correct. For example, a key of 128 bits can be specified as a byte array of 16 digits. Similarly, 192-bit and 256-bit keys correspond to byte arrays of 24 and 32 digits, respectively.

Examples

-------------------------- EXAMPLE 1 --------------------------

This command creates a secure string from characters that you type at the command prompt. After entering the command, type the string you want to store as a secure string. An asterisk (*) is displayed to represent each character that you type.


PS C:\> $SecureString = Read-Host -AsSecureString

-------------------------- EXAMPLE 2 --------------------------

This command converts the secure string in the $SecureString variable to an encrypted standard string. The resulting encrypted standard string is stored in the $StandardString variable.


PS C:\> $StandardString = ConvertFrom-SecureString $SecureString

-------------------------- EXAMPLE 3 --------------------------

These commands use the Advanced Encryption Standard (AES) algorithm to convert the secure string stored in the $SecureString variable to an encrypted standard string with a 192-bit key. The resulting encrypted standard string is stored in the $standardstring variable.

The first command stores a key in the $Key variable. The key is an array of 24 digits, all of which are less than 256.

Because each digit represents a byte (8 bits), the key has 24 digits for a total of 192 bits (8 x 24). This is a valid key length for the AES algorithm. Each individual value is less than 256, which is the maximum value that can be stored in an unsigned byte.

The second command uses the key in the $Key variable to convert the secure string to an encrypted standard string.


PS C:\> $Key = (3,4,2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)
PS C:\>$StandardString = ConvertFrom-SecureString $SecureString -Key $Key

Related topics



Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft