Generate Password Encryption

January 12, 2022

by Ed McAndrew

Intended Audience Level: Beginner/Intro

Code Sample Type: Complete Script

Nutanix Technologies: General

Minimum Product Version: N/A

Script/Code Language: PowerShell

REST API Sample? No

REST API Version: N/A

This script generates an AES encrypted password hash that can then be utilized in other PowerShell scripts that are specifically written to decrypt the hash and use the password. This is an alternative to storing clear-text passwords within PowerShell scripts. It’s not 100% effective for security, but better than clear-text.

The script using the output of this, must have the encryption and decryption functions included in it. See my NTNX_NGT_Startup_Installer PowerShell script also available on nutanix.dev for an example.

Run this script, supply the password to encrypt, then copy/paste everything between (not including) the square brackets.

Code Sample Details

Note this section may be empty, if additional code sample details are not available.
<#
.notes
	##############################################################################
	#	 	 Generate Password Encryption
	#	 	 Filename			:	  GenPasswordEncryption.ps1
	#	 	 Script Version		:	  1.1.3
	##############################################################################
.prerequisites
	1. Powershell 2 or above ($psversiontable.psversion.major)
	2. Windows Vista or newer.
.synopsis
	This script takes a clear text input for a password and generate an AES encrypted password hash to be embedded within script passwords.  The script using this, must have the encryption and decryption functions included in it.
.usage
	Run this script, supply the password to encrypt, then copy/paste everything between (not including) the square brackets.
.disclaimer
    This code is intended as a standalone example.  Subject to licensing restrictions defined on nutanix.dev, this can be downloaded, copied and/or modified in any way you see fit.
    Please be aware that all public code samples provided by Nutanix are unofficial in nature, are provided as examples only, are unsupported and will need to be heavily scrutinized and potentially modified before they can be used in a production environment.  All such code samples are provided on an as-is basis, and Nutanix expressly disclaims all warranties, express or implied.
 
    All code samples are © Nutanix, Inc., and are provided as-is under the MIT license. (https://opensource.org/licenses/MIT)
#>
param(
     [parameter(
		mandatory=$true,
		helpmessage="Please supply the password you wish to convert to hash...")]
		$password
);
function create-aesmanagedobject($key, $iv) {
    $aesmanaged = new-object "system.security.cryptography.aesmanaged"
    $aesmanaged.mode = [system.security.cryptography.ciphermode]::cbc
    $aesmanaged.padding = [system.security.cryptography.paddingmode]::zeros
    $aesmanaged.blocksize = 128
    $aesmanaged.keysize = 256
    if ($iv) {
        if ($iv.gettype().name -eq "string") {
            $aesmanaged.iv = [system.convert]::frombase64string($iv)
        }
        else {
            $aesmanaged.iv = $iv
        }
    }
    if ($key) {
        if ($key.gettype().name -eq "string") {
            $aesmanaged.key = [system.convert]::frombase64string($key)
        }
        else {
            $aesmanaged.key = $key
        }
    }
    $aesmanaged
}
function decrypt-string($key, $encryptedstringwithiv) {
	$bytes = [system.convert]::frombase64string($encryptedstringwithiv)
	$iv = $bytes[0..15]
	$aesmanaged = create-aesmanagedobject $key $iv
	$decryptor = $aesmanaged.createdecryptor();
	$unencrypteddata = $decryptor.transformfinalblock($bytes, 16, $bytes.length - 16);
	$aesmanaged.clear()
	$aesmanaged.dispose()
	[system.text.encoding]::utf8.getstring($unencrypteddata).trim([char]0)
}
function encrypt-string($key, $unencryptedstring) {
	$bytes = [system.text.encoding]::utf8.getbytes($unencryptedstring)
	$aesmanaged = create-aesmanagedobject $key
	$encryptor = $aesmanaged.createencryptor()
	$encrypteddata = $encryptor.transformfinalblock($bytes, 0, $bytes.length);
	[byte[]] $fulldata = $aesmanaged.iv + $encrypteddata
	$aesmanaged.clear()
	$aesmanaged.dispose()
	[system.convert]::tobase64string($fulldata)
}
if (-not $password) { exit }
[byte[]] $saltarray = 1..32 | foreach { [byte] (get-random -minimum 1 -maximum 125) }
$encryptedstring = encrypt-string $saltarray $password
$backtoplaintext = decrypt-string $saltarray $encryptedstring
write-host "`r`n#######################################" -foregroundcolor BLUE
write-host "`Copy & Paste everything between the square brackets" -nonewline -foregroundcolor GREEN
write-host " [" -nonewline -foregroundcolor YELLOW
write-host "<- ->" -nonewline -foregroundcolor GREEN
write-host "]" -foregroundcolor YELLOW
write-host "#######################################" -foregroundcolor BLUE
write-host "AES Encrypted Password" -nonewline -foregroundcolor GREEN
write-host " [" -nonewline -foregroundcolor YELLOW
write-host " ""$($encryptedString)"" " -nonewline -foregroundcolor GREEN
write-host "]" -foregroundcolor YELLOW
foreach ($byte in $saltarray) { [string]$bytearray += "$($byte)," }
$sharedkey = $bytearray.substring(0,$bytearray.length-1)
write-host "AES Shared Key" -nonewline -foregroundcolor GREEN
write-host " [" -nonewline -foregroundcolor YELLOW
write-host " ($($sharedkey)) " -nonewline -foregroundcolor GREEN
write-host "]" -foregroundcolor YELLOW
write-host "#######################################" -foregroundcolor BLUE
write-host "Decrypted Password" -nonewline -foregroundcolor GREEN
write-host " [" -nonewline -foregroundcolor YELLOW
write-host "$backToPlainText" -nonewline -foregroundcolor CYAN
write-host "]`r`n" -foregroundcolor YELLOW