Automated SFTP transfer using WinSCP - how safe is it to store credentials in Windows environment variables?

Question

I've had to implement an automated SFTP file transfer which requires a username and password.

Not wanting to leave the password in a text file / batch script for the world to stumble across, I've elected to store the username and password in a specific user's environment variables for safety reasons.

When the automated WinSCP script runs, it works as stipulated.

Now, naturally, any user with appropriate administrative permissions can edit the registry and find the credentials in there. While more secure than a standard batch file, I'm still not entirely happy about this.

What I want to know is whether or not there's a safer way to store sensitive variables than this, and whether there is a better approach others have thought of?

For someone with the appropriate permissions there is always a way to get the credentials. This is a battle you can't win. — Gerald Schneider, Nov 29 '17 at 11:33
Set up a passwordless private/public key pair and use that for authentication. — ivanivan, Nov 29 '17 at 13:30
@ivanivan Passwordless key pair isn't securier comparatively to the login-pass pair. — Kondybas, Nov 29 '17 at 14:30

score 0 · Answer 1 · answered Nov 29 '17 at 11:46

As mentioned in WinSCP article on Security of Credentials (while in a somewhat different context):

It is not possible to securely encrypt passwords in a way that still allows for automatic use.

Though you can hide/obfuscate them better than storing them in plain text in Windows registry.

You can for example use "secure string" from a wrapper PowerShell script (see ConvertTo-SecureString). Or use PowerShell straight way for your whole transfer with a use of WinSCP .NET assembly.

See another WinSCP article about Protecting credentials used for automation.

Automated SFTP transfer using WinSCP - how safe is it to store credentials in Windows environment variables?

1 Answers1