Generate Aes Key Command Line

  

Generate A Key Pair. To create a key pair using PGP Command Line follow these steps: Open a command shell or DOS prompt. On the command line, enter: pgp -gen-key user ID -key-type key type -bits bits # -passphrase passphrase NOTE: Any information that contains spaces must be contained inside quotation marks. See the example below. @Mawg: Your openssl command is outputting the public key corresponding to the supplied private key - public keys aren't encrypted (they're not secret), so using -passout makes no sense. You probably want to use -passin there, to supply the passphrase that was used to encrypt the private key in the first step.

I recently went through the process of learning about how you could encrypt and store passwords for user accounts in a way that they can be easily used in a Powershell script. While researching how to do this, I found a lot of information on how to encrypt the password using Microsoft’s Data Protection Application Programming Interface (DPAPI) encryption. However, I didn’t find very many write-ups on how to do the same thing using AES encryption. So I’m going to share what I found and how it can be implemented.

Generate

AES? DPAPI? Why might I choose one over the other?

Before getting to the details for implementation, I want to mention some reasons why you may (or may not) want to use AES instead of DPAPI. Both DPAPI and AES have native support in Powershell, so they can both be used relatively easily.

Generate aes key command line linux

Data that is encrypted using DPAPI can only be decrypted on the same Host that encrypted the data (and it might even need to be the same user profile…I read a couple of things that mentioned that, but haven’t dug deeper to find out if that’s accurate or tested it). That means that the data that’s encrypted using DPAPI isn’t portable – it can’t be decrypted on other computers (excluding potential attacks against the encryption). Some people might find DPAPI to be appealing because its lack of portability keeps the data more secure from a Confidentiality perspective.

Data that is encrypted using AES, on the other hand, can be decrypted by any computer that has the AES key that was used to encrypt the data. That means that the data that’s encrypted using AES is portable. If the data needs to be migrated to another host for any reason (normal systems migrations, disaster recovery, etc), it will continue to be accessible as long as you have access to the AES key that was used. Some people might find the portability of AES to be appealing because it keeps the encrypted data more secure from an Availability perspective.

Ultimately, whether you choose to use DPAPI or AES is a decision that each person or organization needs to make, and you need to weigh the pros and cons of each option. In either case, if any variety of encryption is implemented without an appropriate amount of consideration, it can result in bad situations like an inability to access data that you need (effectively, a self inflicted Denial of Service attack) or the data not being as confidential as you thought because of poor access controls on the keys.

Now that we’ve covered that part, let’s move on to how you can use Powershell to (1) generate and store a 256-bit AES key, (2) encrypt the password for a User Account using that AES key, and (3) use that AES encrypted password in a script (to authenticate with a mail server, in this case).

Preparing your environment to use AES encrypted passwords

Use the Powershell below to get your environment prepared. Before executing these steps, you will need to have: (1) a secure location to store your key, (2) a secure location to store your encrypted password, (3) the password for the User account that you need to use in your script.

The screenshot below shows Prep Step 1. A 256-Bit (32-Byte) key is generated using a .NET Random Number Generator. For demonstration purposes, the contents of the key file is displayed.

The screenshot below shows Prep Step 2. The password for “Username@YourDomainDotCom” is typed into the Powershell “Read-Host -AsSecureString” prompt, and then the password is encrypted and saved to a file. For demonstration purposes, the content of the encrypted password file is displayed.

After you complete those two Prep Steps, you will have your Key and Encrypted Password saved to files, and you will be able to use them when you execute other Powershell scripts in the future.

Using your AES Encrypted password in a script

The script below demonstrates how you can use your AES Encrypted password in a script. In this example, the password is being used to authenticate with a Mail Server.

The screenshot below shows the demonstration script excluding the “Define Email Message Options” and “Send Email” portions at the end of the script. For demonstration purposes, it also shows what the content of the $EmailCredentials variable, a PSCredential object, looks like. Because the password was loaded as a SecureString, the Password is displayed as “System.Security.SecureString” instead of the actual password being displayed.

I don’t show the email portion in the demonstration screenshots because I’m not using a real Mail Server and User Account for this. But it all works as long as all of the options that you define for the Send-MailMessage command are valid for the Mail Server that you use.

Decrypting a password file to reveal the plaintext password

As a final note on this post – I mentioned earlier that controlling access to your Key is critical, because anyone that has access to the key can decrypt the data that was secured with it. In the situation that I’m demonstrating, since the key is being used to encrypt the password for an account, if an attacker can get their hands on the Key and the encrypted password file, then they may be able to use the User Account for accessing other services on the network (in addition to authenticating with the Mail Server, as the scripts demonstrate).

So, you got your hands on the key and password file, and you want to decrypt it to recover the plaintext password? This will do it (re-using some variables that were used in previous scripts above)

The screenshot below shows that Powershell code being used to expose the plaintext password we encrypted earlier. The password is “ThisIsMyP@ssw0rdfjaldskf;jNENROIEFDnlndlfw392fdkjslfjo3fdkNLFDSNFKJLSo32eo9#(*$)#$#(*%&NFJEI#fdklew”

Creating GPG keypairs in Linux is a simple process, but understanding how it works can enhance your security.

Previously, in Getting Started with GnuPG, I explained how to import a public key to encrypt a file and verify a signature. Now learn how to create your own GPG key pair, add an email address, and export the public key.

Creating a GPG keypair

More Linux resources

To receive an encrypted file that only you can open, you first need to create a key pair and then share your public key. Creating the key pair is similar to creating ssh keys in that you choose a key size, specify an identifier, and set a passphrase.

Openssl Command Line Generate Aes Key

The gpg command has three options for creating a key pair:

Generate Aes 256 Key Command Line

  • The --quick-generate-key option requires you to specify the USER-ID field on the command line and optionally an algorithm, usage, and expire date. It implements defaults for all other options.
  • The --generate-key option prompts for the real name and email fields before asking for a confirmation to proceed. In addition to creating the key, it also stores a revocation certificate.
  • The --full-generate-key option, demonstrated below, provides a dialog for all options.