< Back
Add-ProtectedDataCredential
Post
NAME Add-ProtectedDataCredential
SYNOPSIS
Adds one or more new copies of an encryption key to an object generated by Protect-Data.
SYNTAX
Add-ProtectedDataCredential [-InputObject] <Object> -Certificate <Object> [-UseLegacyPaddingForDecryption]
[-NewCertificate <Object[]>] [-UseLegacyPadding] [-NewPassword <SecureString[]>] [-PasswordIterationCount <Int32>]
[-SkipCertificateVerification] [-Passthru] [<CommonParameters>]
Add-ProtectedDataCredential [-InputObject] <Object> -Password <SecureString> [-NewCertificate <Object[]>]
[-UseLegacyPadding] [-NewPassword <SecureString[]>] [-PasswordIterationCount <Int32>]
[-SkipCertificateVerification] [-Passthru] [<CommonParameters>]
DESCRIPTION
This command can be used to add new certificates and/or passwords to an object that was previously encrypted by
Protect-Data. The caller must provide one of the certificates or passwords that already exists in the
ProtectedData object to perform this operation.
PARAMETERS
-InputObject <Object>
The ProtectedData object which was created by an earlier call to Protect-Data.
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-Certificate <Object>
An RSA or ECDH certificate which was previously used to encrypt the ProtectedData structure's key.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-UseLegacyPaddingForDecryption [<SwitchParameter>]
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Password <SecureString>
A password which was previously used to encrypt the ProtectedData structure's key.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NewCertificate <Object[]>
Zero or more RSA or ECDH certificates that should be used to encrypt the data. The data can later be decrypted
by using the same certificate (with its private key.) You can pass an X509Certificate2 object to this
parameter, or you can pass in a string which contains either a path to a certificate file on the file system,
a path to the certificate in the Certificate provider, or a certificate thumbprint (in which case the
certificate provider will be searched to find the certificate.)
Required? false
Position? named
Default value @()
Accept pipeline input? false
Accept wildcard characters? false
-UseLegacyPadding [<SwitchParameter>]
Optional switch specifying that when performing certificate-based encryption, PKCS#1 v1.5 padding should be
used instead of the newer, more secure OAEP padding scheme. Some certificates may not work properly with OAEP
padding
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-NewPassword <SecureString[]>
Zero or more SecureString objects containing password that will be used to derive encryption keys. The data
can later be decrypted by passing in a SecureString with the same value.
Required? false
Position? named
Default value @()
Accept pipeline input? false
Accept wildcard characters? false
-PasswordIterationCount <Int32>
Optional positive integer value specifying the number of iteration that should be used when deriving
encryption keys from the specified password(s). Defaults to 50000.
Higher values make it more costly to crack the passwords by brute force.
Required? false
Position? named
Default value 50000
Accept pipeline input? false
Accept wildcard characters? false
-SkipCertificateVerification [<SwitchParameter>]
Deprecated parameter, which will be removed in a future release. Specifying this switch will generate a
warning.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Passthru [<SwitchParameter>]
If this switch is used, the ProtectedData object is output to the pipeline after it is modified.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
[PSObject]
The input object should be a copy of an object that was produced by Protect-Data.
OUTPUTS
None, or
[PSObject]
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Add-ProtectedDataCredential -InputObject $protectedData -Certificate $oldThumbprint -NewCertificate
$newThumbprints -NewPassword $newPasswords
Uses the certificate with thumbprint $oldThumbprint to add new key copies to the $protectedData object.
$newThumbprints would be a string array containing thumbprints, and $newPasswords would be an array of
SecureString objects.
RELATED LINKS
Unprotect-Data
Add-ProtectedDataCredential
Remove-ProtectedDataCredential
Get-ProtectedDataSupportedTypes
SYNOPSIS
Adds one or more new copies of an encryption key to an object generated by Protect-Data.
SYNTAX
Add-ProtectedDataCredential [-InputObject] <Object> -Certificate <Object> [-UseLegacyPaddingForDecryption]
[-NewCertificate <Object[]>] [-UseLegacyPadding] [-NewPassword <SecureString[]>] [-PasswordIterationCount <Int32>]
[-SkipCertificateVerification] [-Passthru] [<CommonParameters>]
Add-ProtectedDataCredential [-InputObject] <Object> -Password <SecureString> [-NewCertificate <Object[]>]
[-UseLegacyPadding] [-NewPassword <SecureString[]>] [-PasswordIterationCount <Int32>]
[-SkipCertificateVerification] [-Passthru] [<CommonParameters>]
DESCRIPTION
This command can be used to add new certificates and/or passwords to an object that was previously encrypted by
Protect-Data. The caller must provide one of the certificates or passwords that already exists in the
ProtectedData object to perform this operation.
PARAMETERS
-InputObject <Object>
The ProtectedData object which was created by an earlier call to Protect-Data.
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-Certificate <Object>
An RSA or ECDH certificate which was previously used to encrypt the ProtectedData structure's key.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-UseLegacyPaddingForDecryption [<SwitchParameter>]
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Password <SecureString>
A password which was previously used to encrypt the ProtectedData structure's key.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NewCertificate <Object[]>
Zero or more RSA or ECDH certificates that should be used to encrypt the data. The data can later be decrypted
by using the same certificate (with its private key.) You can pass an X509Certificate2 object to this
parameter, or you can pass in a string which contains either a path to a certificate file on the file system,
a path to the certificate in the Certificate provider, or a certificate thumbprint (in which case the
certificate provider will be searched to find the certificate.)
Required? false
Position? named
Default value @()
Accept pipeline input? false
Accept wildcard characters? false
-UseLegacyPadding [<SwitchParameter>]
Optional switch specifying that when performing certificate-based encryption, PKCS#1 v1.5 padding should be
used instead of the newer, more secure OAEP padding scheme. Some certificates may not work properly with OAEP
padding
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-NewPassword <SecureString[]>
Zero or more SecureString objects containing password that will be used to derive encryption keys. The data
can later be decrypted by passing in a SecureString with the same value.
Required? false
Position? named
Default value @()
Accept pipeline input? false
Accept wildcard characters? false
-PasswordIterationCount <Int32>
Optional positive integer value specifying the number of iteration that should be used when deriving
encryption keys from the specified password(s). Defaults to 50000.
Higher values make it more costly to crack the passwords by brute force.
Required? false
Position? named
Default value 50000
Accept pipeline input? false
Accept wildcard characters? false
-SkipCertificateVerification [<SwitchParameter>]
Deprecated parameter, which will be removed in a future release. Specifying this switch will generate a
warning.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Passthru [<SwitchParameter>]
If this switch is used, the ProtectedData object is output to the pipeline after it is modified.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
[PSObject]
The input object should be a copy of an object that was produced by Protect-Data.
OUTPUTS
None, or
[PSObject]
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Add-ProtectedDataCredential -InputObject $protectedData -Certificate $oldThumbprint -NewCertificate
$newThumbprints -NewPassword $newPasswords
Uses the certificate with thumbprint $oldThumbprint to add new key copies to the $protectedData object.
$newThumbprints would be a string array containing thumbprints, and $newPasswords would be an array of
SecureString objects.
RELATED LINKS
Unprotect-Data
Add-ProtectedDataCredential
Remove-ProtectedDataCredential
Get-ProtectedDataSupportedTypes