PowerShell加密SQL Server的密码技术

挑战 (Challenge)

Automating SQL Server tasks with PowerShell can increase productivity and save time, but how do use PowerShell encrypt password techniques to avoid saving them as plain text. This article will show you how.

使用PowerShell自动执行SQL Server任务可以提高生产率并节省时间，但是如何使用PowerShell加密密码技术来避免将它们另存为纯文本。本文将向您展示如何。

The challenge for handling SQL credentials encryption is something that often needs to be dealt with when setting up SQL Server automated PowerShell tasks. On most occasions, credentials for SQL Server or a source control connection have to be provided and by default those credentials will remain in plain text. This is a non-option for most Database or IT administrators regarding the SQL Server security.

在设置SQL Server自动PowerShell任务时，通常需要处理处理SQL凭据加密的挑战。在大多数情况下，必须提供SQL Server或源控制连接的凭据，默认情况下，这些凭据将保留为纯文本格式。对于大多数数据库或IT管理员，对于SQL Server安全性，这是不可选项。

例 (Example)

Let’s take an example script:

让我们来看一个示例脚本：

& "c:\program files\ApexSQL\Apexsql diff\ApexSQLDiff.com"
/sourcecontrol_type1:teamfoundationserver
/sourcecontrol_server1:“https://apexsqlmr.visualstudio.com/DefaultCollection”
/sourcecontrol_project1:”$/ADW_v2018” /sourcecontrol_user1:"SourceControlUser"
/sourcecontrol_password1:"scpass" /scr2:”$/ProjectName” /s2:machine\sqlserver
/d2:Prod_db /u2:"sa" /p2:”SQLpass” /ot:html /on: "C:\Reports\Comparison.html" /f

This simple string is set to synchronize a database located on a source control repository with a target database on some SQL Server instance by executing ApexSQL Diff, a 3^rd party SQL Server change management tool through the command line interface aka CLI. As for the question of SQL Server security it can be easily concluded that there is no SQL Server security, in this case. Anyone logged into Windows session on the machine that is set for automated task can read the script and saved SQL credentials.

这个简单的字符串设置通过执行ApexSQL Diff时，一个^第三方到位于与某些SQL Server实例的目标数据库源代码控制存储库中的数据库同步SQL Server变更管理工具，通过命令行界面又名CLI。对于SQL Server安全性问题，可以很容易地得出结论，在这种情况下，没有SQL Server安全性。在设置为自动任务的计算机上登录Windows会话的任何人都可以读取脚本并保存SQL凭据。

Resolving this SQL Server security issue can be done within the possibilities of PowerShell with a few extra steps before setting the automated task. What will be explained in this text, is how to save SQL credentials in a file in encrypted form and use them instead of plain text credentials.

在设置自动化任务之前，可以通过PowerShell的一些额外步骤来解决此SQL Server安全问题。本文将解释如何将SQL凭据以加密形式保存在文件中，并使用它们代替纯文本凭据。

It will be necessary to save a separate file per username/password in order to properly use them as SQL credentials for authentication. For storing the credential files, a designated folder location should be prepared. To save the password (or username) in encrypted form, start the PowerShell console and use the following command:

为了正确使用它们作为身份验证SQL凭据，有必要为每个用户名/密码保存一个单独的文件。为了存储凭证文件，应准备一个指定的文件夹位置。要将密码（或用户名）以加密形式保存，请启动PowerShell控制台并使用以下命令：

Read-Host -AsSecureString |ConvertFrom-SecureString |Out-File C:\Credentials\SQLPassword.txt

When executed, the command will prompt to type in the password:

执行后，该命令将提示您输入密码：

The password will be saved in the location and file designated with this command after confirmation. The content of the file will be unreadable hash string.

确认后，密码将保存在此命令指定的位置和文件中。该文件的内容将是不可读的哈希字符串。

Repeat that action for the source control authentication password and username, if needed, but use a different name for each saved file:

如果需要，请对源控制身份验证密码和用户名重复该操作，但对每个保存的文件使用不同的名称：

Read-Host -AsSecureString |ConvertFrom-SecureString |Out-File C:\Credentials\SourceControlPassword.txt

This is a one-time operation to encrypt the SQL credentials until, at least, there is a change in the used password, at which point it will have to be repeated. In that case, using the same file name to store the password will overwrite the previous one.

这是一次性的加密SQL凭据的操作，直到至少更改了所使用的密码为止，此时必须重复该密码。在这种情况下，使用相同的文件名存储密码将覆盖前一个密码。

读取加密的凭证 (Reading encrypted credentials)

In order to use these saved encrypted passwords, it will be necessary to read them from the saved file and convert them back to readable form for PowerShell.

为了使用这些保存的加密密码，有必要从保存的文件中读取它们，并将其转换回PowerShell的可读形式。

Reading the password from a file can be done using following command:

可以使用以下命令从文件读取密码：

$EncryptedSQLPass = Get-Content -Path "C:\Credentials\SQLPassword.txt"

This will read the hashed string from the saved password file and store it in PowerShell object. The command will have to be used as preamble to main command string that executes synchronization task.

这将从已保存的密码文件中读取哈希字符串，并将其存储在PowerShell对象中。该命令将被用作执行同步任务的主命令字符串的前导。

A similar approach should be taken with the saved source control connection password. Another PowerShell object will be created with this command:

保存的源代码管理连接密码应采用类似的方法。将使用以下命令创建另一个PowerShell对象：

$EncryptedSCPass = Get-Content -Path "C:\Credentials\SourceControlPassword.txt"

Since the passwords are still in its encrypted form it will require decryption to properly use it for connection SQL.

由于密码仍然采用加密形式，因此需要解密才能正确将其用于连接SQL。

Decryption is done with this command:

使用以下命令完成解密：

[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((ConvertTo-SecureString $EncryptedSQLPass)))

Analogous to previous example, the source control password decryption should be executed only with the second PowerShell object:

与前面的示例类似，源控制密码解密应仅与第二个PowerShell对象一起执行：

[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((ConvertTo-SecureString $EncryptedSCPass)))

放在一起 (Putting it all together)

With this conversion passwords can be used for SQL and source control connections. Our example script, including the reading preamble, will now look like this:

通过此转换，密码可用于SQL和源代码控制连接。现在，我们的示例脚本（包括阅读序言）将如下所示：

$EncryptedSQLPass = Get-Content -Path "C:\Credentials\SQLPassword.txt" $EncryptedSCPass = Get-Content -Path "C:\Credentials\SourceControlPassword.txt" & "c:\program files\ApexSQL\Apexsql diff\ApexSQLDiff.com" /sourcecontrol_type1:teamfoundationserver /sourcecontrol_server1:“https://apexsqlmr.visualstudio.com/DefaultCollection”  /sourcecontrol_project1:”$/ADW_v2018” /sourcecontrol_user1:"SourceControlUser"  /sourcecontrol_password1: ([Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((ConvertTo-SecureString $EncryptedSCPass)))) /scr2:”$/ProjectName” /s2:machine\sqlserver /d2:Prod_db /u2:"sa" /p2:([Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((ConvertTo-SecureString $EncryptedSQLPass)))) /ot:html /on:"C:\Reports\Comparison.html" /f

Note that decryption string has to be bracketed in order to be used as argument defining SQL credentials.

请注意，解密字符串必须放在方括号中才能用作定义SQL凭据的参数。

PowerShell encrypt password (and decrypt as well) techniques exist to allow you to safely create and run un-compiled scripts without having to worry about compromising security.

使用PowerShell加密密码（以及解密）技术可以使您安全地创建和运行未编译的脚本，而不必担心损害安全性。

翻译自: https://www.sqlshack.com/powershell-encrypt-password-techniques-for-sql-server/