Using the SecureString Class

Using the SecureString Class

NET 2.0’s System.Security namespace includes the SecureString class, which lets you create encrypted strings and delete them from memory when they’re no longer needed. You can even make a string behave as a read-only string?and prevent any copies from being made, ensuring that there’s only a single copy in memory. Moreover, you can wipe the string out of memory by calling its Dispose() method.

SecureStrings are similar to Strings, but the framework automatically encrypts them when they’re initialized or modified. SecureStrings remain modifiable until the application marks them as read-only.

To create a SecureString, you append one character at a time:

System.Security.SecureString secString = new System.Security.SecureString();secString.AppendChar('D');secString.AppendChar('e');secString.AppendChar('V');secString.AppendChar('X');secString.AppendChar('P');secString.AppendChar('W');secString.AppendChar('D');

When the string contains the data you want, you can make it immutable and uncopyable by calling the MakeReadOnly method:


To read the secure value, use the SecureStringToBSTR() method as follows:

IntPtr ptr =    System.Runtime.InteropServices.Marshal.SecureStringToBSTR(secString);string sDecrypString =    System.Runtime.InteropServices.Marshal.PtrToStringUni(ptr);

The garbage collector will remove SecureStrings when they’re no longer referenced, but you can dispose of a SecureString by using the Dispose() method:

See also  How to Avoid Money Transfer Scams  

About Our Editorial Process

At DevX, we’re dedicated to tech entrepreneurship. Our team closely follows industry shifts, new products, AI breakthroughs, technology trends, and funding announcements. Articles undergo thorough editing to ensure accuracy and clarity, reflecting DevX’s style and supporting entrepreneurs in the tech sphere.

See our full editorial policy.

About Our Journalist