• OpeningClouds

Sending Emails with Local Encrypted Credentials (Part 2)

While we helping our customer our with Encrypted emails we decided to use another method.


In the spirit of the ask for the customer there is a need to allow a non-trusted user over sea's to be able to send emails using an automated method for event notifications or general notices.


So we start with defining what level of encryption we want to use. For this example we are using AES encryption. The AES.key file is the output of the above. This "key" is whats needed to decrypt the passwords you will encrypt later. Store this in a secure location on the file system where you control the access. NTFS Read-Only should be enough for these files.

$KeyFile = "C:\Temp\AES.key"
$Key = New-Object Byte[] 16   # You can use 16, 24, or 32 for AES
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
$Key | out-file $KeyFile

We move on to encrypting the actual password. The code below has you enter the password in the "PASSWORD" field. This should be done away and kept secure as the file has the password in plain text. These files should not got to the end user as that would defeat the purpose of NOT giving them the password.

$PasswordFile = "C:\Temp\Password.txt"
$KeyFile = "C:\Temp\AES.key"
$Key = Get-Content $KeyFile
$Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force
$Password | ConvertFrom-SecureString -key $Key | Out-File $PasswordFile

You can store the password file in the same location you store they key, or put them on a file server that is secured.


Lastly what we are going to do is , recall the encryption key and password, and pass them to the Send-MailMessage powershell cmdlet.


We specify the user account hardcode as seen. In these cases, we are using Office 365 as the SMPT relay, this could be different if you are using your own SMTP relay.

The important part here is the username and password are stored in in the powershell as encrypted and passed to the Send-MailMessage as the $MyCredential variable.


$User = "USEREMAIL@domain.com"
$PasswordFile = "C:\Temp\Password.txt"
$KeyFile = "C:\Temp\AES.key"
$key = Get-Content $KeyFile
$MyCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $PasswordFile | ConvertTo-SecureString -Key $key)


Send-MailMessage -From "USEREMAIL@domain.com" -To USEREMAIL@domain.com -Subject "Failed SQL Job" -BodyAsHtml "Insert body text here " -SmtpServer smtp.office365.com -Port 587 -UseSsl -Credential $MyCredential

You can recall the password file or the AES key if they are stored on a file server by changing the paths on the files. \\fileserver\keyshare\AES.key or the likes


Thanks and come back for more !



0 views0 comments

OpeningClouds