powershell - Concatenating secure string

Question

Is it possible to concatenate a secure string with variables and unsecure strings in PowerShell?

I have a formula that is used for local administrator passwords in our standalone environment (no domain). I would like to store part of that formula in a file securely, then get that, convert it to a regular string, and concatenate it with another object and another string to form the password.

My intent is not to expose our formula in plain text in the workflow that I am putting together. Is there another way that I am missing? It's too many machines to easily store each password separately.

Answer 1

Credential objects allow you to decrypt a secure string (source):

PS C:> $pw = 'bar' | ConvertTo-SecureString -AsPlainText -Force
PS C:> $pw.GetType().FullName
System.Security.SecureString
PS C:> $cred = New-Object Management.Automation.PSCredential 'foo', $pw
PS C:> $cred.GetType().FullName
System.Management.Automation.PSCredential
PS C:> $cred.UserName
foo
PS C:> $cred.Password
System.Security.SecureString
PS C:> $cred.GetNetworkCredential().Password
bar

However, the encryption key for the secure string is tied to the user and computer that created the secure string, so it's not usable on another computer or by another user. You can work around this, but that would require to encrypt the secure string with a key generated by you, and that key would have to be available in plain text (or rather plain bytes) whenever the secure string needs to be decrypted. Which kinda defeats the purpose of encrypting it in the first place.

On top of that, if you have enough machines to make storing separate passwords a hassle, you also have enough machines to seriously consider putting them in a domain.