ConvertFrom SecureString - PowerShell


The ConvertFrom-SecureString command in PowerShell transforms a plaintext string into a secure string object. This is useful for securely handling sensitive information like passwords or encryption keys in PowerShell scripts or functions.


ConvertFrom-SecureString -String <String> [-AsPlainText] [-Force] [-KeyContainer <String>]


  • -String : The plaintext string you wish to convert.
  • -AsPlainText: Specify this flag if you want to output the secure string as plaintext (not recommended for sensitive data).
  • -Force: Overwrite any existing secure string with the same name.
  • -KeyContainer : Specify the key container to use for encryption. Defaults to “Microsoft Software Protection Platform”.


Generate a Secure String:

$securePassword = ConvertFrom-SecureString -String "password"

View Secure String (not recommended):

$securePassword | ConvertFrom-SecureString -AsPlainText

Store Sensitive Data in a Variable:

$apiToken = ConvertFrom-SecureString -String "your_api_token"

Overwrite Existing Secure String:

ConvertFrom-SecureString -String "new_password" -Force -KeyContainer "CustomKeyContainer"

Common Issues

  • Incorrect Key Container: Ensure the specified key container exists and is accessible.
  • Permission Errors: Check if you have sufficient permissions to access or create the key container.
  • Invalid Plaintext String: Verify that you entered the plaintext string correctly.


  • Combine it with Write-Output to securely store and retrieve sensitive data in variables.
  • Use it with other security-related commands like Set-ExecutionPolicy or Grant-Access.
  • Integrate it into functions or scripts for automating sensitive data management tasks.
  • ConvertTo-SecureString: Converts a secure string object back to plaintext.
  • Get-SecureString: Retrieves a secure string from a file or user input.
  • SecureString: Creates a new secure string object.