在Powershell中使用加密的密码作为CMD的参数

Question

I am trying to execute an Oracle EXPDP(Oracle Data Pump) command through Powershell, using an encrypted password file so I can keep my database password out of my git repo. Here's what my code to generate the file looks like:

"Password1" | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File "C:\\Backups\\dbPassword.txt"

Obviously Password1 isn't the actual password, but you get the idea...

I want to write a script to decrypt that file, then take the decrypted "Password1" value and use it in the expdb command as my db password. Here's what I've come up with so far:

$dbPassword =  cat C:\backups\dbPassword.txt | convertto-securestring -AsPlainText -Force
$timeStamp = "$(get-Date -f MMddyyyy)"
$expdb = 'EXPDP'
$dbCredential = 'system/'+$dbPassword
$expdbDirectory = 'directory=backups'
$expdbFull = 'full=Y'
$expdbDRFileNamePrefix = 'EXPALL_DR_' + $timeStamp
$expdbDRFileNameDMP = $expdbDRFileNamePrefix + '.DMP'
$expdbDRFileNameLOG = $expdbDRFileNamePrefix + '.log'
$expdbDRFile = 'file=' + $expdbDRFileNameDMP
$expdbDRLog = 'log=' + $expdbDRFileNameLOG

$command = $expdb + ' ' + $dbCredential + ' ' + $expdbDirectory + ' ' + $expdbFull + ' ' + $expdbDRFile + ' ' + $expdbDRLog

Invoke-Expression $command

When I execute this, I get the following error:

EXPDP : 
At line:1 char:1
+ EXPDP system/System.Security.SecureString directory=backups full=Y fi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

Export: Release 11.2.0.1.0 - Production on Fri Oct 14 16:09:55 2016
Copyright (c) 1982, 2009, Oracle and/or its affiliates.  All rights reserved.
UDE-01017: operation generated ORACLE error 1017
ORA-01017: invalid username/password; logon denied
Username: 

I assume I need to use the equivalent of a "toString" command to make it fully plain text for the command line. Anyone know what this is, or if there's a way to use the PSCredential object to do this?

Thanks!

Answer 1

The password doesn't decrypt itself, so you'd need to do it yourself. The easiest way to do this, is to create a PSCredential object, as @briantist suggested. It allows to retrieve the (unencrypted) password via its GetNetworkCredential() method.

$dbPassword = Get-Content 'C:\backups\dbPassword.txt' |
              ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object Management.Automation.PSCredential('system', $dbPassword)
...
$command = $expdb + ' ' + $cred.UserName + '/' +
           $cred.GetNetworkCredential().Password + ...

However, you're storing the unencrypted password in a file, and your external command seems to expect plaintext credentials anyway, so I don't see a point in encrypting the password during the transfer from file to command. That would be like building a gate in the middle of an empty place.

Answer 2

I wonder if the problem is your password itself. You have to be careful about what special characters are in the password. For example, an ampersand & or a pipe | or redirection characters <> or quotes ' (especially double " ), and even caret ^ may cause problems because they are special characters for the command interpreter. How you escape each of these will be different, so it depends on which ones you have.

You might try the same thing first with a very simple password to see if it works, and if so you can start with a password containing only alphanumerics and then add special characters one at a time to see if they work.