Pull Encrypted Password from Registry

jessee_t · June 10, 2025, 2:49pm

Good day all. Got asked a unique question and I am not sure of the answer. My SQL team is asking, if they write an encrypted password to the registry, is it possible for BigFix to take an encrypted password from the registry, decrypt it and use it for a variable in a task. I am not sure about the decrypting the password part of it. Any thoughts would be greatly appreciated.

vk.khurava · June 10, 2025, 3:57pm

Yes, BigFix can facilitate this, but it’s important to understand that BigFix itself cannot perform decryption of encrypted data unless you explicitly provide the decryption logic.

First, you need to determine how the decryption can be performed successfully on the endpoint locally. Once that process is validated, someone can assist in mapping your decryption logic into a BigFix Action Script to achieve the desired outcome.

jessee_t · June 10, 2025, 4:05pm

VK,

Thank you for the knowledge, I will have to work with the SQL team to figure out how they are going to encrypt the password.

brolly33 · June 10, 2025, 4:37pm

Another road to Rome: You can use Secure Parameters in BigFix to put the password into a BigFix Action (encrypted) and have the action perform the desired outcome. That way the password stays in the Action and is only decrypted by the BigFix agent while the Action is performed.

jessee_t · June 10, 2025, 5:00pm

I actually suggested that, but they are going to be doing periodic password changes via SQL that will be included in the POS build. I won’t know what they are. That is why they suggested writing the encrypted password to the registry where I can do the decrypt thing then be allowed to perform necessary SQL scripts in the future

brolly33 · June 10, 2025, 5:16pm

So, the question will become: How do you decrypt that register key value with a command line. Outside of BigFix, this is a general question.

If you can get that answered, then you should be able to do a BigFix action script that does that same method.

Because I have been on this road before, the trouble will become, how do you secure the decryption key in a way that the BigFix action can get to it but a system administrator cannot? I suspect we will still involve a secure parameter with the “decryption key” in the parameter, to keep it out of an administrator’s hands.

here is a very old method from bigfix.me that should point in in a productive direction.

https://bigfix.me/fixlet/details/139

JonL · June 10, 2025, 8:24pm

Vote for this idea to have Bigfix natively support better encryption/decryption options.