locked
ConvertFrom-SecureString throws a CryptographicException in windows iot RRS feed

  • Question

  • I am exploring using the win iot Raspberry Pi2 to access a remote non-windows device that requires a username and password.

    I want to store the credentials to this device 'securely'.

    The export-clixml cmdlet is missing in windows iot so plan B was to fallback on the old way by creating the credential using get-credential and inputting the username and password.  Then getting the 'secure' text version by using ConvertFrom-SecureString and storing that in a file.

    This does not work since it throws a CryptographicException as shown below.

    [RaspberryPi2B]: PS C:\Data\Users\ralf\Documents> $password = Read-Host "Enter Password: " -AsSecureString
    WARNING: A script or application on the remote computer RASPBERRYPI2B is sending a prompt request. When you are prompted, enter sensitive information, such as
    credentials or passwords, only if you trust the remote computer and the application or script that is requesting the data.
    Enter Password: : ********
    [RaspberryPi2B]: PS C:\Data\Users\ralf\Documents> $secure = ConvertFrom-SecureString $password
    ConvertFrom-SecureString : Error occurred during a cryptographic operation.
    At line:1 char:11
    + $secure = ConvertFrom-SecureString $password
    +           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [ConvertFrom-SecureString], CryptographicException
        + FullyQualifiedErrorId : System.Security.Cryptography.CryptographicException,Microsoft.PowerShell.Commands.ConvertFromSecureStringCommand

    Is there some registry setting that needs to be changed or do I have to store the plain text password?

    running OS version 10.0.10586 on a Raspberry Pi2.

    Wednesday, April 6, 2016 8:56 PM

Answers

  • Hi jedgar & cyberh0me,

    The team has looked into this issue and has found the source of the message. You can find the full details on the call here https://technet.microsoft.com/en-us/library/hh849814.aspx.

    Basically, in IoT Core there is no pre-populated key like there is on your Desktop & Tablet so you need to add one before you call.

    In short, using a 192-bit key as an example, one would have to do something like the following:

    [Remote]: PS C:\> $key = (3,4,2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)

    [Remote]: PS C:\> $secure = ConvertFrom-SecureString $password -Key $key

    Please let me know if this solves your issue.

    Sincerely,

    IoTGirl


    Friday, April 8, 2016 7:16 PM

All replies

  • Hi jedgar222,

    Have you tried this same code on the desktop? Does it have the same issue?  Also, you are running 10586.  Have you joined Windows Insiders and can you try 14295?

    Sincerely,

    IoTGirl


    Wednesday, April 6, 2016 10:49 PM
  • Yes it works on the desktop. Here is what happens on my surface:

    [surface]: PS C:\Users\ralf> $password = Read-Host "Enter Password: " -AsSecureString
    WARNING: A script or application on the remote computer SURFACE is sending a prompt request
    passwords, only if you trust the remote computer and the application or script that is requesting
    Enter Password: : ********
    [surface]: PS C:\Users\ralf> $password | ConvertFrom-SecureString
    01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a6eaaaa74e3f974684220c6c296c0585000000
    982a45781d776704fde23e2b20000000570b0c8dd44c66f958f5832400418577a38368b80a4dd0bcb5bbf6

    Also running 10.0.10586.

    I do not plan on upgrading the pi to the insider load, I do have it running on a VM though.

    Thursday, April 7, 2016 1:09 AM
  • fyi tried it on 14295 pi with same result
    Thursday, April 7, 2016 2:45 PM
  • Hi jedgar & cyberh0me,

    The team has looked into this issue and has found the source of the message. You can find the full details on the call here https://technet.microsoft.com/en-us/library/hh849814.aspx.

    Basically, in IoT Core there is no pre-populated key like there is on your Desktop & Tablet so you need to add one before you call.

    In short, using a 192-bit key as an example, one would have to do something like the following:

    [Remote]: PS C:\> $key = (3,4,2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)

    [Remote]: PS C:\> $secure = ConvertFrom-SecureString $password -Key $key

    Please let me know if this solves your issue.

    Sincerely,

    IoTGirl


    Friday, April 8, 2016 7:16 PM
  • Yes the exception is gone when using the -key option.

    I can now store the password in a file in a secure fashion, then retrieve the unencrypted password by using ConvertTo-SecureString -key $key on the string from the file and then using GetNetworkCredential().Password method on a temporary pscredential object with the secure string object for the password.

    Definitely a step forward.

    Now how do I store the key securely? How does a desktop store this?

    Suggestions welcome.

    Thanks much for the help.


    Friday, April 8, 2016 10:06 PM
  • Hi Jedgar,

    I am marking the original question as answered. The new question should be opened in a new topic thread and I do suggest using the Windows Insiders forums in order to get a full Windows 10 answer to that question.

    Sincerely,

    IoTGirl

    Thursday, April 28, 2016 6:55 PM