Is it safe to store passwords in powershell's $env variable?

Question

I have a few scripts in my $profile that require passwords for things like connecting to a corporate VPN or sending a command to a virtualized VM.

I don't want to type these passwords over and over and storing the passwords in my $profile is insecure. So I've come up with a solution. On $profile startup, I do something like this

$env:VpnPassword =  (Get-Credential Domain\George.Mauer).GetNetworkCredential().Password

So when powershell starts I enter a password one time and in any scripts I can then use $env:VpnPassword.

I've confirmed that the variable is available only to the PS Session. And my reasoning is, since it seems to be in memory, that's a reasonably safe place to store it.

Is my logic sound? Are the $env values I'm creating stored only in memory? What about the pagefile? Is that something that could be used to somehow grab these strings? Is there a better way to achieve what I'm trying to do without introducing whole new systems?

Answer 1

I verified $env is ONLY in ram. It left no pointers when PS closed. the underlying destructor fires even if you punch the PS exe into breaking, it still cleans up. Even with a shared memory attack, that address space is only available to system32, etc and kernel mode drivers as far as I know. You would have to know the exact memory address and size of the data to find anything assuming you even had a process that was elevated enough. That being said, I dont really see any need for encryption.

This answer will begin the self destruct sequence on WM_CLOSE...