How secure is PowerShell's ConvertFrom-SecureString -key

Question

I have a module that includes some strings with some private data that should be hard to attain, but changes frequently. I need to put this script on a variety of machines w

Answer 1

Then encrpted secret string on its own is safe, but it is presumably unusable in that form. ConvertTo-SecureString will convert it from an encrypted standard string into a SecureString, but in order to do that, you need the key. If you users or script have the key, then they can do anything.

And can you even pass the SecureString to whatever application you are working with, or will you need to convert it back to regular string? If the secret data is at any time in plaintext form, then your users can see it.

Even if your application supports SecureString, you are still hosed because SecureString is trivially crackable:

[System.Runtime.InteropServices.Marshal]::PtrToStringAuto(
  [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securestring)
 )

The approach of encrypting the secret data with some key, but allowing low-priv users to have the key, is broken. It's equivalent to "I don't want my friend to have the keys to my house, so I'll lock the keys in a box and give him the keys to the box instead."