Getting the data

Like most objects in the .NET Framework, the SecureString class provides a ToString method. But, the ToString method is derived from the base System.Object class, and it is not overridden in SecureString. Consequently, calling the ToString method of the SecureString class will only display the type of object (System.Security.SecureString) and no actual data.

The tricky aspect of working with the SecureString class is retrieving the data stored in it. Since it uses the encryption services of Windows, you need to utilise it, which requires using the System.Runtime namespace. The following C# line is the first step in retrieving the value. It copies the contents of the SecureString class into a long pointer object.

IntPtr pointerName = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(SecureString object);

Once the pointer object is populated, the pointer is converted to a string via the System.Runtime.InteropServices.Marshal class, as the following C# accomplishes.

Console.WriteLine(System.Runtime.InteropServices.Marshal.PtrToStringBSTR(bstr));

The Microsoft documentation states that converting the object to a pointer allocates the unmanaged memory required for a string, so you should always free the pointer object when finished by calling the ZeroFreeBSTR method, as the following C# accomplishes:

System.Runtime.InteropServices.Marshal.ZeroFreeBSTR(bstr);

The following C# code marries the example of storing data in a SecureString object with retrieving it to store and display the contents.

using System;
using System.Collections.Generic;
using System.Text;
namespace SecureString {
class Program {
static void Main(string[] args) {
System.Security.SecureString ss = new System.Security.SecureString();
ss.AppendChar('T');
ss.AppendChar('e');
ss.AppendChar('c');
ss.AppendChar('h');
ss.AppendChar('R');
ss.AppendChar('e');
ss.AppendChar('p');
ss.AppendChar('u');
ss.AppendChar('b');
ss.AppendChar('l');
ss.AppendChar('i');
ss.AppendChar('c');
ss.AppendChar('.');
ss.AppendChar('c');
ss.AppendChar('o');
ss.AppendChar('m');
Console.WriteLine(ss);
IntPtr ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(ss);
try {
Console.WriteLine(System.Runtime.InteropServices.Marshal.PtrToStringBSTR(ptr));
} finally {
System.Runtime.InteropServices.Marshal.ZeroFreeBSTR(ptr);
} } } }

The equivalent VB.NET code follows:

Module Module1
Sub Main()
Dim ss As New System.Security.SecureString()
ss.AppendChar("T")
ss.AppendChar("e")
ss.AppendChar("c")
ss.AppendChar("h")
ss.AppendChar("R")
ss.AppendChar("e")
ss.AppendChar("p")
ss.AppendChar("u")
ss.AppendChar("b")
ss.AppendChar("l")
ss.AppendChar("i")
ss.AppendChar("c")
ss.AppendChar(".")
ss.AppendChar("c")
ss.AppendChar("o")
ss.AppendChar("m")
Console.WriteLine(ss)
Dim ptr As IntPtr
ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(ss)
Try
Console.WriteLine(System.Runtime.InteropServices.Marshal.PtrToStringBSTR(ptr))
Finally
System.Runtime.InteropServices.Marshal.ZeroFreeBSTR(ptr)
End Try
End Sub
End Module

Protect your data with SecureString

The SecureString class provides the functionality to work with sensitive pieces of data within a .NET application without requiring you to use cryptography services or extensive code to encrypt data items. The SecureString class also lets you easily store string values and retrieve them on the Windows platform since the basic String class is less than appealing for working with sensitive data.

How do you handle sensitive data in your applications? Do you utilise encryption or another approach? Share your experience with the .NET community.