Protecting output content from prying eyes

Sup PSHomies,

Security is on everyone’s mind these days. It’s no wonder, with GDPR  going in effect as of may 2018.  My quick take on GDPR? It’s just Data Protection & ILM (Information Life-cycle Management) with some serious penalty consequences.  That archiving solution isn’t looking that expensive anymore eh? Having a RBAC model in place makes a whole lot of sense right about now huh? But I digress…

I get asked a lot to create reports. GDPR made me stop and reflect on how well (or maybe not so well) I’m handling/sharing these reports. Let’s just say I didn’t give myself a high score…

So my next challenge is about security, how do I keep prying eyes off my data? How do I make sure only the intended audience has access to the data?

First thing that came to mind was encryption. Come to find out that PowerShell v5 has some new cmdlets, Protect/Unprotect-CMSMessage,for this very purpose! Keith Hill has an excellent blog about getting started with them (seriously how did I miss this???). Oh and be sure to read Dave Wyatt’s comment.

Another must read blog is that of Cyber Defense. I tried the code and was able  to recreate the limitations, errors and performance issues. I also tried exporting to XML using Export-CliXML, but that gave me some issues with UTF8 encoding.  I was able to protect a 500 MB file, but unable to unprotect it. Found yet another great tip on Compressing files using the 7zip Module (Could it get any better???) The cmdlets are great for encrypting simple text.

Best route for protecting your data is to encrypt your password and use that password to protect your data as a zip file. Here’s what I came up with…

Author: I. Strachan
Version: 1.0
Version History:
Purpose: Create an encrypted password file and saves the password as
a Credential object
function New-EncryptedCredentialFile {
[String]$ThumbPrint = '0460483ADEF613D3B1781FAE393DF2AEAE1060ED',
[String]$PasswordFile = 'C:\scripts\source\txt\Password.txt',
[ValidateRange(20, 128)]
[Int]$PasswordLength = 100
#Load "System.Web" assembly in PowerShell console
$null = [Reflection.Assembly]::LoadWithPartialName("System.Web")
#Calling Generated Password Method
$ClearPassword = [System.Web.Security.Membership]::GeneratePassword($PasswordLength, 0)
$ClearPassword |
Protect-CmsMessage -OutFile $PasswordFile -To $ThumbPrint
#return Credential for encryption
$Credential = [PSCredential]::new($ThumbPrint, $($ClearPassword | ConvertTo-SecureString -AsPlainText -Force))
$Cred = New-EncryptedCredentialFile -ThumbPrint '0A5A254C42D710E2C0B1BC77B142FAEC7EA7B93B'
#Region Compress and password protect 7zip file
$param7Zip = @{
Path = 'c:\scripts\export\dsa\20062017'
ArchiveFileName = 'pshirwin-20062017.7zp'
Format = 'SevenZip'
SecurePassword = $Cred.Password
Compress-7Zip @param7Zip
#Region Expand 7Zip protected password file
#Retrieve exported Credentials
$thumbPrint = '0A5A254C42D710E2C0B1BC77B142FAEC7EA7B93B'
$passwd = Unprotect-CmsMessage -LiteralPath 'C:\scripts\sources\txt\Password.txt' -To $thumbPrint |
ConvertTo-SecureString -AsPlainText -Force
$Creds = [PSCredential]::new($thumbPrint, $passwd)
Expand-7Zip -ArchiveFileName 'pshirwin-20062017.7zp' -TargetPath .\temp\pshirwin-20062017 -SecurePassword $Creds.Password

Let’s break down the function. First you’re going to need the public key of the intended party. Keith’s blog covers how to do that. The function will generate a 100 random char password, encrypt it and save it to specified file. Last but not least it will also return said Password as a Credential object. This will be used later on to password protect the zip file.

This will at least protect you data from prying eyes. Like Dave said in his comment:

“Anyone with admin access to a computer, or physical access to an unencrypted hard drive, can steal those private keys in most cases.”

It’s not fool-proof but it’s a start…

Take away

Make sure you’re not the weakest link when it comes to security and protecting/sharing data. Make sure you understand your company’s GDPR compliance policies. I’m seeing quite a few Security officer job offers on LinkedIn if that’s your thing… 😉

One more blog I can definitely recommend reading is David das Neves blog on Powershell Security at Enterprise customers . Granted it’s quite the read but well worth it!

Ok, there’s just one more blog you should also read, Don Jones’ blog on stop using self-signed certificates

It’s going to be a challenge for all of us, but one well worth it…

Hope it’s worth something to you…




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s