Create secured XML for Credentials in PowerShell

  • 24 January 2023
  • 0 replies

Userlevel 1

If you write PowerShell scripts for testing and want to provide them to clients, but any credentials need to be scrubbed prior to sending them, you can try using an XML Secured Object instead.  The basic concept is to create a script that receives the username and password through the secured prompt in PowerShell and outputs an XML file with the information encrypted.

To note

this is not a highly secured option and should not be used in any production environment.  This is an example of hiding your password while testing and demoing.

Use the Read-Host -AsSecuredString to keep the password hidden

create a new object using the System.Management.Automation.PSCredential class 

then use Export-clixml to output it into a Secured XML.  

The xml output results in an xml file with a password value of about 460 characters….

This XML is only valid on the system it was created ON so, if you copy that secured XML to another system and try to use it, it will not work.


To ‘import’ this secured XML into any PowerShell you use the Import-clixml cmdlet that will recreate the credential object.

Attached is a PS1 script - remove the .TXT  to use.  The output will be the Domain-username.xml.  the default folder is  .\CREDS.

This PowerShell script will prompt for the Username, Domain and Password.  The Password will be revalidated and, if not identical to the first entry, display an error message and exit.  This script does not enforce any minimums or limits (like length, case or special characters).

To use this secured XML file in a PowerShell script, such as with Carbonite Migrate or Availability, you would pass the secured XML to the script then use the Import-clixml cmdlet to recreate the credential object.

 $newSrcCred = Import-clixml $credQname

You can then use the credential object with the .UserName or .Password options. 

$dtSrcUserName = $newSrcCred.UserName
$dtSrcPassword = $newSrcCred.Password

Or with the -credential switch if available

$dtSrc = New-DtServer -Name $dtSrcHostName -Credential $newSrcCred
$dtTgt = New-DtServer -Name $dtTgtHostName -Credential $newTgtCred


Feel free to contact me if you have any questions.


0 replies

Be the first to reply!