1

I am trying to execute an Oracle EXPDP(Oracle Data Pump) command through Powershell, using an encrypted password file so I can keep my database password out of my git repo. Here's what my code to generate the file looks like:

"Password1" | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File "C:\Backups\dbPassword.txt"

Obviously Password1 isn't the actual password, but you get the idea...

I want to write a script to decrypt that file, then take the decrypted "Password1" value and use it in the expdb command as my db password. Here's what I've come up with so far:

$dbPassword =  cat C:\backups\dbPassword.txt | convertto-securestring -AsPlainText -Force
$timeStamp = "$(get-Date -f MMddyyyy)"
$expdb = 'EXPDP'
$dbCredential = 'system/'+$dbPassword
$expdbDirectory = 'directory=backups'
$expdbFull = 'full=Y'
$expdbDRFileNamePrefix = 'EXPALL_DR_' + $timeStamp
$expdbDRFileNameDMP = $expdbDRFileNamePrefix + '.DMP'
$expdbDRFileNameLOG = $expdbDRFileNamePrefix + '.log'
$expdbDRFile = 'file=' + $expdbDRFileNameDMP
$expdbDRLog = 'log=' + $expdbDRFileNameLOG

$command = $expdb + ' ' + $dbCredential + ' ' + $expdbDirectory + ' ' + $expdbFull + ' ' + $expdbDRFile + ' ' + $expdbDRLog

Invoke-Expression $command

When I execute this, I get the following error:

EXPDP : 
At line:1 char:1
+ EXPDP system/System.Security.SecureString directory=backups full=Y fi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

Export: Release 11.2.0.1.0 - Production on Fri Oct 14 16:09:55 2016
Copyright (c) 1982, 2009, Oracle and/or its affiliates.  All rights reserved.
UDE-01017: operation generated ORACLE error 1017
ORA-01017: invalid username/password; logon denied
Username:

I assume I need to use the equivalent of a "toString" command to make it fully plain text for the command line. Anyone know what this is, or if there's a way to use the PSCredential object to do this?

Thanks!

Improve this question
5
  • why encrypt the file? if you .gitignore the file, you might as well just keep the pw plaintext and bypass this problem. Commented Oct 14, 2016 at 20:22
  • so leave the password as plain text on the server, but ignore it in git? I suppose, but encrypting it provides some additional security, even if it is simply security through obscurity. Commented Oct 14, 2016 at 20:24
  • An encrypted password doesn't magically decrypt itself just because you want it to. Your commandline expects a plaintext password anyway, so there's no point at all in reading an unencrypted password from a file, encrypt it, then decrypt it again to be actually abel to use it. Commented Oct 14, 2016 at 20:33
  • I guess we are outputting to a logfile anyway, which would be in plain text, so this makes sense. I just don't like having plain text passwords sitting out there. Unavoidable sometimes I suppose. I'd accept that as an answer if you want to write it up as one. Commented Oct 14, 2016 at 20:44
  • Depending on your infrastructure, the easiest and most wide ranging solution to this is to use a service account along with externally identified users (windows trusted authentication) in Oracle. No password required as it uses the service account to log in. Commented Sep 25, 2017 at 2:16

2 Answers 2

Reset to default
5

The password doesn't decrypt itself, so you'd need to do it yourself. The easiest way to do this, is to create a PSCredential object, as @briantist suggested. It allows to retrieve the (unencrypted) password via its GetNetworkCredential() method.

$dbPassword = Get-Content 'C:\backups\dbPassword.txt' |
              ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object Management.Automation.PSCredential('system', $dbPassword)
...
$command = $expdb + ' ' + $cred.UserName + '/' +
           $cred.GetNetworkCredential().Password + ...

However, you're storing the unencrypted password in a file, and your external command seems to expect plaintext credentials anyway, so I don't see a point in encrypting the password during the transfer from file to command. That would be like building a gate in the middle of an empty place.

useless gate is useless

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

This is close. I need to do some debugging, but I'll edit this answer when I get it right next week. It's the end of the workweek for me though.
Haha that photo 😂
Glad you like it ;)
I finally got it. The answer is found here:
blogs.msdn.microsoft.com/timid/2009/09/10/…
0

I wonder if the problem is your password itself. You have to be careful about what special characters are in the password. For example, an ampersand & or a pipe | or redirection characters <> or quotes ' (especially double "), and even caret ^ may cause problems because they are special characters for the command interpreter. How you escape each of these will be different, so it depends on which ones you have.

You might try the same thing first with a very simple password to see if it works, and if so you can start with a password containing only alphanumerics and then add special characters one at a time to see if they work.

Improve this answer

9 Comments

The OP wants to run an external command (expdp) which seems to expect plaintext credentials. I fail to see how a PSCredential is going to help here.
Good things to note, though in this case, the most complex characters in the file are, ! and ?. The rest are numbers and letters. The file looks fine though as an encrypted string.
@AnsgarWiechers if he still wants to store it encrypted (sometimes you can't restrict access to the filesystem as well as to the executing code, want to minimize possibility for exposure, or has to deal with certain regulations), it's easier with a [PSCredential] to export it / import it since the encryption/decryption is done for you, and with .GetNetworkCredential() it's also easier to get at the unencrypted password. If he opts to store it plaintext as you suggested in the comments then this is all moot but I'm addressing the situation where it remains encrypted on disk.
@briantist This isn't a windows or Active Directory password. This is a password for Oracle. Does PSCredential work the same with that?
I think I see it.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.