I have researched and understand Windows Master Passwords and how they work. Thank you for this feature. I am unclear about the following:
(1) On inspection, when site passwords are saved and a Master Password is not set ("not recommended") they do not appear to be stored in clear text. Are they encrypted using the Windows Data Protection API (DAPI) functionality to encrypt strings using the current Windows credentials? If not, how are they encrypted?
(2) I've read and I believe I understand how to make passwords more secure for scripts, thank you. My question is, is there a way to specify the Master Password on the WinSCP.exe command line? I ask because it would then be possible to use PowerShell to first:
$PasswordSecure = Read-Host -Prompt "Password" -AsSecureString
$PasswordText = $PasswordSecure | ConvertFrom-SecureString
Set-Content <path> $PasswordText
...and then the script could:
$PasswordText = Get-Content <path>
$PasswordSecure = $PasswordText | ConvertTo-SecureString
$PasswordBSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($PasswordSecure)
$Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($PasswordBSTR)
WinSCP.exe /masterpw="$Password" ...
...unless of course WinWCP could accept PowerShell secure strings directly.