MdsEncryptPassword¶
The mdsencryptpassword utility encrypts passwords for use in mds.ini and INT configuration files. It is located in the bin directory of your BTR2SQL installation.
Each run produces a different encrypted value, even for the same input password. This is by design — the utility uses AES encryption with random salting for improved security.
Note
A plain-text password in the mds.ini file will not work. All passwords must be encrypted using this utility or stored via Windows Credential Manager.
Command-line Syntax¶
mdsencryptpassword [options] <password>
Options¶
Option |
Description |
|---|---|
(none) |
Encrypt using AES with random salting (recommended). |
|
Encrypt using the legacy method for backward compatibility with older BTR2SQL versions. |
|
Display help information. |
Examples¶
Encrypt a password using AES (recommended):
mdsencryptpassword "MySecurePassword123"
Encrypt using the legacy method:
mdsencryptpassword /legacy "MySecurePassword123"
Password Types¶
BTR2SQL supports three distinct types of password entries in configuration files:
1. AES Encrypted Password (Recommended)¶
AES encrypted passwords use advanced encryption with random salting, providing enhanced security.
Always starts with
01Long hex string with an odd number of hex pairs (bytes)
Each encryption produces a unique value, even for the same password
Example value:
01c3f05c0ca0d7868adf16b133d8fe5ee820922805920dbeec8717cb07bc1b1c4264836c860105e717468f6191f2a814ac
Generate:
mdsencryptpassword "YourPassword"
Use in mds.ini:
[SQL_BTR]
Password=01c3f05c0ca0d7868adf16b133d8fe5ee820922805920dbeec8717cb07bc1b1c4264836c860105e717468f6191f2a814ac
2. Windows Credential Manager Reference¶
Stores the password securely in Windows Credential Manager. Only a hex reference to the credential entry is placed in the configuration file — the actual password is retrieved from Credential Manager at runtime.
Always starts with
02Length varies based on the entry name length
Only the password is used from the Windows Credential Manager entry. The username field in Credential Manager is left blank (unused); the actual username is configured separately (e.g., as an INT token or in the mds.ini file)
The hex reference string can be used anywhere a password value is accepted, including INT files and mds.ini
Example value:
02636F6D2E6D6572746563682E67686768
Generate using the included PowerShell script:
.\StoreCredential.ps1 -TargetName "MyDatabaseConnection" -Password "YourPassword"
The script stores the password in Windows Credential Manager and outputs the hex reference string for use in configuration files. See Windows Credential Manager Integration below for full details.
3. Legacy Encrypted Password (Compatibility Only)¶
Legacy encrypted passwords use a fixed encryption method that produces the same encrypted value for identical passwords.
Relatively short hex string with an even number of hex pairs
No
01or02prefixFixed encryption — same password always produces the same value
Example value:
a00a51f9a161eebeda7a997117ddfeca
Generate:
mdsencryptpassword /legacy "YourPassword"
Warning
Legacy encryption is provided for backward compatibility only. Use AES encryption for all new deployments.
Using Encrypted Passwords¶
To use an encrypted password in your BTR2SQL configuration:
Generate the encrypted value using one of the methods above.
Place the value in the
Passwordfield of your mds.ini file:
[SQL_BTR]
Password=01c3f05c0ca0d7868adf16b133d8fe5ee820922805920dbeec8717cb07bc1b1c4264836c860105e717468f6191f2a814ac
Or for a Windows Credential Manager reference:
[SQL_BTR]
Password=02636F6D2E6D6572746563682E67686768
Windows Credential Manager Integration¶
BTR2SQL can store and retrieve passwords from the Windows Credential Manager, providing an additional layer of security by leveraging the operating system’s built-in credential storage.
Benefits:
System-Level Security — passwords are protected by Windows security mechanisms
No Plain Text Storage — eliminates the need to store passwords in configuration files
User-Specific Storage — credentials are tied to the current Windows user account
Centralized Management — use Windows tools to manage stored credentials
PowerShell Script¶
BTR2SQL includes a PowerShell script (StoreCredential.ps1) that automates the process of storing credentials and generating the reference string.
Parameters:
$TargetNameThe name of the entry in Windows Credential Manager.
$PasswordThe password to store securely.
Usage:
.\StoreCredential.ps1 -TargetName "ProductionDB" -Password "MySecurePassword123"
Output:
Credential stored successfully.
02506F64756374696F6E4442
Important Notes:
The username field in Windows Credential Manager is left blank and unused
The actual username is still stored as an INT token in the INT configuration file
Credentials are stored with
CRED_PERSIST_LOCAL_MACHINEpersistence levelThe script uses
CRED_TYPE_GENERICcredential type for maximum compatibility
The PowerShell script is provided as a reference implementation. You may extend it to add bulk credential operations, deployment pipeline integration, or custom validation.
Migrating from Legacy Encryption¶
If you are upgrading from a previous version of BTR2SQL and have existing legacy encrypted passwords:
Identify Legacy Passwords — locate encrypted passwords in your current configuration files (short hex strings with no
01or02prefix)Re-encrypt — use
mdsencryptpasswordto generate new AES encrypted valuesUpdate Configuration — replace old encrypted values with the new ones
Test Connections — verify that database connections work with the new encrypted passwords
For temporary compatibility, you can use the /legacy flag to generate passwords using the old encryption method, but this is not recommended for long-term use.
Security Best Practices¶
Regular Rotation — periodically update and re-encrypt database passwords
Secure Storage — keep configuration files with encrypted passwords in secure locations
Access Control — limit access to configuration files containing encrypted passwords
Windows Credential Manager — consider using Windows Credential Manager for enhanced security
Avoid Legacy Mode — use AES encryption unless legacy compatibility is specifically required
Troubleshooting¶
“Invalid encrypted password” error
Verify the encrypted password was generated correctly
Ensure you’re not mixing legacy and new encryption methods
Check that the password wasn’t corrupted during copy/paste
Verify the password type matches the expected format:
Legacy: Even number of hex pairs, no prefix
AES: Starts with
01, odd number of hex pairsWindows Credential Manager: Starts with
02
Connection failures after upgrading
Re-encrypt existing passwords using the new utility
Verify configuration file syntax is correct
Test with a plain text password first to confirm connectivity
AES Password Issues
AES passwords must start with
01Verify the full hex string was copied without truncation
AES passwords are significantly longer than legacy passwords
Legacy Password Issues
Legacy passwords are case-sensitive in the hex representation
Ensure the
/legacyflag was used during generationLegacy passwords should be an even number of hex characters
Windows Credential Manager Issues
Ensure BTR2SQL is running with appropriate Windows permissions
Verify credentials are stored under the correct Windows user account
Check Windows Event Logs for credential access errors
Confirm the PowerShell script completed successfully
Verify the hex reference starts with
02Check that the target name in Credential Manager matches the reference
Password Type Identification
If you’re unsure which type of password you have:
Legacy: Short, even number of hex pairs, no
01or02prefixAES: Long, starts with
01, odd number of hex pairsWindows Credential Manager: Starts with
02, length varies by target name
See Also¶
mds.ini file — where encrypted passwords are stored
Configuration Precedence — how settings from different sources interact