Custom encryption and decryption of PowerShell scripts

To make it possible for users to run PowerShell scripts that are not written by Snow Software in medium integrity mode, a unique custom encryption key can be used instead of the default encryption key. The custom encryption key overwrites the default key.

To generate a custom encryption key, use the psencrypt.exe tool. Snow Community contains a support article named PSEncrypt.exe tool, which is available by first signing in; this article contains the tool which is available for download.

psencrypt.exe keygen

To enable encryption with a custom encryption key, use the configuration option powershell.encryption_key in SystemSettings:

<SystemSettings>
    <Setting key="powershell.encryption_key" value="[value of custom encryption key]"/>
</SystemSettings>

To encrypt scripts with the custom encryption key:

  1. Use the psencrypt.exe tool:

    psencrypt.exe encrypt <path_to_target_script> <path_to_output_file>
  2. When asked for input, enter the custom encryption key.

    Note

    Scripts created by Snow Software and customers can both be encrypted by using a custom encryption key.

    Note

    When Inventory Agent is configured to use a custom encryption key it will not execute the default scripts that are provided by Snow Software. To execute these scripts, they must be encrypted a second time, using the custom encryption key:

    psencrypt.exe encrypt <Snow Software standard script>.snow-ps1 <re-encrypted Snow Software script>.snow-ps1

To decrypt scripts with the custom encryption key:

  1. Use the psencrypt.exe tool:

    psencrypt.exe decrypt <path_to_target_script> <path_to_output_file>
  2. When asked for input, enter the custom encryption key.