Storing PowerShell Credentials in JSON

Sometimes I do things in PowerShell just to see what happens. This is a great way to learn about new cmdlets and techniques. Sometimes these experiments lead to useful results. Other times they may end up as teaching devices. Of  course the result could serve both purposes and you may have to decide that today as I look at storing credentials in a JSON file.

Since the early days of PowerShell we’ve preached the perils of hard-coding credentials in your scripts. If you need a password you should prompt for it, or write your PowerShell tool to accept a credential object. But there may be situations where you need to automate a process AND use an alternate or specific credential. One approach is to use the cliXML cmdlets to securely store a credential.

I manually created a credential so you could see the password. When you use Export-Clixml PowerShell automatically converts the secure string password.


The password is encrypted using native crypto APIs. You can only reverse the process on the same computer.

If I copy the file to another computer and try the process I’ll get an error.


Oh, and to prove the import worked locally:


But what if, for some reason, you wanted to use a JSON file for the stored credential? How would you do it?

PowerShell won’t automatically insert the conversion steps, but they aren’t that difficult to implement yourself. First, you have to  select the username and convert the password back from a secure string.

This object can now be piped to Convertto-Json:


This cmdlet doesn’t create a file so you will need to pipe to Out-File or Set-Content.

One slight advantage of json over XML is that the file overhead is smaller.


But now let’s see about brining it back to life. First, convert the content from JSON.

Next, convert the password value back to a secure string.

Finally, create a credential object.


The whole process is really not that cumbersome, but I went ahead and created a PowerShell module called PSJsonCredential.

The module has commands for exporting, importing and reporting.

This command also has a -NoClobber parameter to avoid overwriting an existing file. I also added a metadata property to indicate who, where and when. You can get this data with Get-PSCredentialFromJson:


The import command can ignore the metadata.


I’ve published the module to the PowerShell gallery if you would like to try it out or look more closely at the code.


As I mentioned at the beginning, this module is hardly groundbreaking and may have no practical use. But at the very least it might offer some insights into working with credentials and JSON files.

Note that storing a credential in *any* form to disk is a potential security risk and may not be allowed in some organizations. It is up to you to determine how suitable these techniques are in your company.

I hope you’ll let me know what you think and especially if you find a practical application.

7 thoughts on “Storing PowerShell Credentials in JSON

  1. Thanks Jeff for a nice post as usual. I’ve tried it, and as expected, the credentials don’t carry over from one computer to another, whether they’re saved as JSON or XML..

  2. So this can be encrypted by ANY user on THIS computer or can be decrypted only THIS user on THIS computer?

  3. Nice work Jeff,

    Does using JSON also have the added benefit over XML of being able to retrieve the credentials if copied to another system?


    • No. This is still storing an encrypted secure string that can only be decrypted on the original server.

Comments are closed.