Encrypting passwords for automation on Windows using Powershell, WinSCP and DPAPI

I have been using VBScript to generate and send data over SFTP from a Windows host to a remote server using WinSCP, obviously this requires the use of a set of credentials which have to be shown in plain text in your script file, not ideal.

Fortunately WinSCP has some pretty good documentation about the subject however I had to do some research to figure out how to use the Windows Data Protection API in a Powershell script hence the reason for this article.

Windows DPAPI allows you to encrypt passwords, only allowing the user account which has encrypted it to decrypt it. It is still an issue if the user account is compromised obviously, but at least no more plain text passwords.

Continue reading “Encrypting passwords for automation on Windows using Powershell, WinSCP and DPAPI”