Encrypting AGRIS credentials for report streams/batch files/command lines/etc.

If using batch files to automate AGRIS report streams, it is very likely that they contain valid AGRIS credentials in plain text. For security purposes, it is desirable to introduce encryption to hide these credentials.

These are the steps to encrypt and execute such batch files/command line parameters:

Create a batch file and test to make sure it produces the desired result (i.e., it launches AGRIS and runs a report stream). For the purposes of this article, let's say that command line has already been created successfully.
1. Example file name: AGRIS-RS-004.BAT
2. Example file contents: C:\Apps\AGRIS\bin\SysMenu.exe /D001 /Uusr /Ppassword /L200 /R04

Modify the file extension (or make a copy of the batch file with a new file extension) so that the file is a .TXT instead of a .BAT
1. Example AGRIS-RS-004.BAT --> AGRIS-RS-004.TXT

To convert the plain text commands to an encrypted string, open PowerShell and execute these 4 commands:
1. NOTE: Replace "C:\Apps\AGRIS-RS-004.TXT" with the path and filename of the TXT containing the AGRIS command line info.
2. NOTE: Replace "C:\apps\AGRIS-RS-004-Encrypted.TXT" with the path and filename where the encrypted info will be stored.

$Code = Get-Content C:\Apps\AGRIS-RS-004.TXT

$CodeSecureString = ConvertTo-SecureString $Code -AsPlainText -Force

$Encrypted = ConvertFrom-SecureString -SecureString $CodeSecureString

$Encrypted | Out-File -FilePath C:\apps\AGRIS-RS-004-Encrypted.TXT

Encryption Commands

Next, create a PS1 script that will execute the encrypted commands:
1. BEST PRACTICE: Add a remark statement to the script that indicates what the script does since it won't be clear otherwise.
  1. To add a remark, put a # symbol at the start of a line and anything that follows on that same line will be identified as a remark.
  2. Recommendation is to add the original plain text command as a remark and then remove the password value.
  3. It is helpful to leave the User ID in place to know what account the script will use to sign into AGRIS.
2. BEST PRACTICE: Incorporate identifiers into the name of the script to help differentiate various scripts.
  1. Example: AGRIS-RS-004.PS1

# C:\Apps\AGRIS\bin\SysMenu.exe /D001 /Uusr /P /L200 /R04

$Instructions = “”

$Decrypt = $Instructions | ConvertTo-SecureString

$Code = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($Decrypt))

Invoke-Expression $Code

Modify the PS1 script and substitute in the actual $Encrypted value that was obtained in Step 3 between the quotation marks in the $Instructions line.
1. Example:

$Instructions = "01000000d08c9ddf0115d1118c7a00c04fc297eb010000000898e13342ab044690e57e18fd381ce40000000002000000000003660000c000000010000000c0f5c4192646e516c003b7a61c828e6e0000000004800000a0000000100000000524419e284aef02a0242893e3441bbf80000000f108deb5de8c81a299a91ba7b7a80c1eb822fa922b4133f20e1aa6848f3b309324a1797032312e0ed3480f842e43f43bcc9dfc1414ad7e78b46a12fa221771bc592207f411ab0588240fd31e3196e75a0db4d364e4848a045d76ff1b1ad67230f587c6325159302a10686772d787e09fbfedffa3be7831e42a33bc4e68785ca5140000004f080a0c60ee4ae96585a240152e7d0582c70bce"

$Decrypt = $Instructions | ConvertTo-SecureString

$Code = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($Decrypt))

Invoke-Expression $Code

Run Encrypted Code

Save the updated PS1 script.

Execute PS1 and verify that it produces the desired outcome. If it does, then automate this script as desired.

Once the PS1 script has been validated and is running as expected, the original batch file and output file generated in Step #3 can be deleted, modified, archived, etc. The only file needed moving forward is the one created in Steps #3 - 6.

Credit to Brien Posey:

https://www.itprotoday.com/powershell/secure-sensitive-information-powershell-scripts-encryption

How To Encrypt Code in PowerShell Scripts (youtube.com):

https://www.youtube.com/watch?v=TSdtSx0T6MY