Using the SecureString Class

Using the SecureString Class

NET 2.0’s System.Security namespace includes the SecureString class, which lets you create encrypted strings and delete them from memory when they’re no longer needed. You can even make a string behave as a read-only string?and prevent any copies from being made, ensuring that there’s only a single copy in memory. Moreover, you can wipe the string out of memory by calling its Dispose() method.

SecureStrings are similar to Strings, but the framework automatically encrypts them when they’re initialized or modified. SecureStrings remain modifiable until the application marks them as read-only.

To create a SecureString, you append one character at a time:

System.Security.SecureString secString = new System.Security.SecureString();secString.AppendChar('D');secString.AppendChar('e');secString.AppendChar('V');secString.AppendChar('X');secString.AppendChar('P');secString.AppendChar('W');secString.AppendChar('D');

When the string contains the data you want, you can make it immutable and uncopyable by calling the MakeReadOnly method:


To read the secure value, use the SecureStringToBSTR() method as follows:

IntPtr ptr =    System.Runtime.InteropServices.Marshal.SecureStringToBSTR(secString);string sDecrypString =    System.Runtime.InteropServices.Marshal.PtrToStringUni(ptr);

The garbage collector will remove SecureStrings when they’re no longer referenced, but you can dispose of a SecureString by using the Dispose() method:



Share the Post: