How do I tell if a string is an encrypted secure string or plain text in powershell?

Question

Suppose I have a string:

"password"

And it may be in the form of an encrypted secure string converted to text. This secure string text may be decrypted via ConvertFrom-SecureString to recover the "password":

"1213132131....1232131" | ConvertFrom-SecureString |%{echo $_}
password

Is there any way to have powershell tell me whether the input string is already decrypted?

Or do I need to devise some other way to tell whether the input string is in plain text or encrypted as a secure string?

Answer 1

Caveat:

• Use of [securestring] in new projects is discouraged, because it offers very little protection on Unix-like platforms and only limited protection on Windows. See this .NET platform-compatibility recommendation and this answer.

---

You can infer whether the string is encrypted or not based on whether applying ConvertTo-SecureString to it succeeds or not:

# Sample input string, already decrypted.
$str = 'hello'

$isEncrypted = 
  $null -ne (
    $secureString = try { $str | ConvertTo-SecureString -ErrorAction Stop } 
                    catch { }
  )

If the string is encrypted - i.e. if it is the serialized form of a [securestring] instance obtained with ConvertFrom-SecureString - $secureString is assigned the deserialized form (i.e. a [securestring] instance).

Note that - by security-minded design - ConvertTo-SecureString only works if a given serialized-from-[securestring] input string was serialized by the same user account.