How can we pass the credentials in a secure way in Servicenow Powershell scripts .

ragz · ‎11-22-2022

Currently I am using this

$user="xx_user"

$pass = "xx_pass"

$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user, $pass)))

tried this one too it still exposes where the file is ..

$user="xx_user"

$pass = Get-Content "C:\abc\securepassword.txt | convertto-securestring

Any recommendations ?

Roger Poore · ‎11-22-2022

I encrypt the passwords with a specific key which is stored in a tightly controlled folder. My ServiceNow scripts will pull in and decrypt the password using the key that it gets from the previous step. It's very much like this: https://purple.telstra.com.au/blog/using-saved-credentials-securely-in-powershell-scripts

# Generate a random AES Encryption Key.
$AESKey = New-Object Byte[] 32
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey)
	
# Store the AESKey into a file. This file should be protected!  (e.g. ACL on the file to allow only select people to read)
Set-Content $AESKeyFilePath $AESKey   # Any existing AES Key file will be overwritten		

$password = $passwordSecureString | ConvertFrom-SecureString -Key $AESKey
Add-Content $credentialFilePath $password

and to read the password:

$username = "reasonable.admin@acme.com.au"
$AESKey = Get-Content $AESKeyFilePath
$pwdTxt = Get-Content $SecurePwdFilePath
$securePwd = $pwdTxt | ConvertTo-SecureString -Key $AESKey
$credObject = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $securePwd

Eventually, I'm going to try the Credential Manager method. See https://petri.com/managing-usernames-passwords-powershell-sharepoint-online/ He also mentions encrypting the password and saving the key...he's just doing it slightly different.

HTH

-Roger

View solution in original post

Saurabh Gupta · ‎11-22-2022

Hi,

I think for this ServiceNow is using connection and credentials to save the password and is not visible to anyone. There is a 2-way encryption on passwords.

Thanks and Regards,

Saurabh Gupta

Roger Poore · ‎11-22-2022

I encrypt the passwords with a specific key which is stored in a tightly controlled folder. My ServiceNow scripts will pull in and decrypt the password using the key that it gets from the previous step. It's very much like this: https://purple.telstra.com.au/blog/using-saved-credentials-securely-in-powershell-scripts

# Generate a random AES Encryption Key.
$AESKey = New-Object Byte[] 32
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey)
	
# Store the AESKey into a file. This file should be protected!  (e.g. ACL on the file to allow only select people to read)
Set-Content $AESKeyFilePath $AESKey   # Any existing AES Key file will be overwritten		

$password = $passwordSecureString | ConvertFrom-SecureString -Key $AESKey
Add-Content $credentialFilePath $password

and to read the password:

$username = "reasonable.admin@acme.com.au"
$AESKey = Get-Content $AESKeyFilePath
$pwdTxt = Get-Content $SecurePwdFilePath
$securePwd = $pwdTxt | ConvertTo-SecureString -Key $AESKey
$credObject = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $securePwd

Eventually, I'm going to try the Credential Manager method. See https://petri.com/managing-usernames-passwords-powershell-sharepoint-online/ He also mentions encrypting the password and saving the key...he's just doing it slightly different.

HTH

-Roger