| external help file | DSInternals.PowerShell.dll-Help.xml |
|---|---|
| Module Name | DSInternals |
| online version | https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Protect-DpapiNgData.md |
| schema | 2.0.0 |
Encrypts text with DPAPI-NG.
Protect-DpapiNgData [-Descriptor] <String> [-Cleartext] <String> [-Encoding <Encoding>] [<CommonParameters>]
Protect-DpapiNgData [-NamedDescriptor] <String> [-Machine] [-Cleartext] <String> [-Encoding <Encoding>]
[<CommonParameters>]
This cmdlet protects the supplied plaintext with DPAPI-NG and returns the protected binary blob as a base64 string.
Use Descriptor to supply a protection descriptor rule string directly, or NamedDescriptor to use a registered named descriptor.
When NamedDescriptor is used, the Machine switch resolves the descriptor in the local machine descriptor registry hive.
The cleartext is encoded as UTF-16 little-endian before encryption by default. Supply Encoding to use a different text encoding.
PS C:\> Protect-DpapiNgData -Descriptor 'LOCAL=user' -Cleartext 'Pa$$w0rd'Protects text for the current user and returns a base64-encoded DPAPI-NG blob.
PS C:\> Protect-DpapiNgData -NamedDescriptor 'LocalMachine' -Machine -Cleartext 'Pa$$w0rd'Protects text by using a named descriptor registered in the local machine hive.
PS C:\> Protect-DpapiNgData -Descriptor 'SID=S-1-5-21-3288850392-3299536932-2614793081-512' -Cleartext 'Pa$$w0rd' -Encoding UTF8
<# Sample Output:
MIIBfgYJKoZIhvcNAQcDoIIBbzCCAWsCAQIxggEdooIBGQIBBDCB3ASBhAEAAABLRFNLAgAAAGwBAAAFAAAAAgAAAHFrVRwi7V/EcjzdvhmfaCQgAAAAGAAAABgAAADbXiCq9P/fSJ7/N+Pp/iN2B2WtpCgvzrvj0JscdeyQBGMAbwBuAHQAbwBzAG8ALgBjAG8AbQAAAGMAbwBuAHQAbwBzAG8ALgBjAG8AbQAAADBTBgkrBgEEAYI3SgEwRgYKKwYBBAGCN0oBATA4MDYwNAwDU0lEDC1TLTEtNS0yMS0zMjg4ODUwMzkyLTMyOTk1MzY5MzItMjYxNDc5MzA4MS01MTIwCwYJYIZIAWUDBAEtBCi/OCkpzyD9YKVGwFhAA7VGmfakng2fpmvMiG/DW4248BSlBDcfIFn+MEUGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMSAygtw55Qk5YcNtiAgEQgBiOh95J+ZwmKUL129c4D7lis40RYNLIs9g=
#>Encrypts the UTF-8 encoded text so that only a holder of the specified SID-bound group key (here, the Domain Admins group) can decrypt it, and returns the protected blob as a base64 string.
Specifies the text to protect.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: FalseSpecifies the DPAPI-NG protection descriptor rule string.
Type: String
Parameter Sets: Descriptor
Aliases:
Required: True
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSpecifies the text encoding used to convert Cleartext to bytes before encryption.
Accepts a System.Text.Encoding instance (such as [System.Text.Encoding]::UTF8) or one of the following well-known encoding names, which are also offered through tab completion: ASCII, BigEndianUnicode, Unicode, UTF32, UTF7, UTF8.
Type: Encoding
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: [System.Text.Encoding]::Unicode
Accept pipeline input: False
Accept wildcard characters: FalseIndicates that the named descriptor should be resolved from the local machine registry hive.
Type: SwitchParameter
Parameter Sets: NamedDescriptor
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseSpecifies the name of a registered DPAPI-NG protection descriptor.
Type: String
Parameter Sets: NamedDescriptor
Aliases:
Required: True
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Alias: Protect-CngDpapiData
Get-DpapiNgData Unprotect-DpapiNgData New-DpapiNgNamedDescriptor