Sending Emails with Local Encrypted Credentials
While working with a customer today we were asked how to send encrypted emails from PowerShell. Naturally we asked for more back story to fully understand the context of the request.
Customer has off-shore support and there was concerns about giving the support email/passwords so after some research we figured out there was a method for doing just this.
Going back in time when the Windows Registry was something we all still used (basically a database of what is installed on your computer and how they interact with each other) , you could store all kinds of interesting tidbits of information on your machines. Using the following method, we can create and store credentials on a local machine and encrypt the password so no one else can see the password.
**** Yes we know this doesnt scale and yes we know that if anyone else figures out the
regkey its stored in they can use it as well.****
So here is some PowerShell that can give us the results we want.
# Creates the structure $strRegistryKey = "HKLM:\Software\SecureStuff\MySoftware\Users" New-Item -Path $strRegistryKey -ItemType RegistryKey -Force # Gather Credential Information $secureCredential = Get-Credential -Message "Enter the username and password:" $securePassword = $secureCredential.Password | ConvertFrom-SecureString $strUsername = $secureCredential.Username # Add Credentials to the Registry New-ItemProperty -Path $strRegistryKey -PropertyType String -Name $strUsername -Value $securePassword
First Part #Creates the Structure, creates the registry keys in the Hkey local Machine Hive of the registry under Software, SecureStuff, MySoftware, Users
Second Part, #Gather Credential Information, the script prompts the executor for credentials they want to store on the local machine and its password that is encrypted.
Third part of this script #Add Credentials to the Registry, does exactly that, creates the user and password and stores them as encrypted values (SecureString)
So now you have the credentials stored for use. But how do you use them?
PowerShell has a built-in command-let that allows you to send emails. Send-MailMessage.
Using the above credentials we can use the Send-MailMessage to send the emails we want the support personnel to send, without giving them the credentials to the email itself.
To retrieve the credentials we have this snippet of PowerShell
$strRegistryKey = "HKLM:\Software\SecureStuff\MySoftware\Users" $secureCredentials = New-Object system.Management.Automation.PSCredential ($strUserName, $securePassword)
In these parts we are using the variable $strTegistryKey to read back the location where the credentials are stored in the Windows Registry. We are storing the credentials in the $secureCredentials variable for use later.
Using Send-MailMessage has many options to it, for this example, the customer is an Office 365 subscriber and wanted to use the Office 365 SMTP relay service to send the emails. To do so we formatted the Send-MailMessage into the following (edited naturally)
Send-MailMessage -From "Support@openingclouds.com" -To Support1@openingclouds.com -Subject "WHAT YOU WANT YOUR SUBJECT TO BE OF THE EMAIL" -BodyAsHtml "WHAT IS THE BODY IF THE EMAIL" -SmtpServer smtp.office365.com -Port 587 -UseSsl -Credential $secureCredentials
The script closes out by using Send-MailMessage with the $securedCredentials variable that is stored from reading the registry keys on the local Windows machine.
This was a bit of a fun challenge and I hope you all can use this for some form of "secure" messaging if the need arises.