How to encrypt SecureString using DPAPI to save to disk without first converting to an unsecured string?

Question

How to encrypt SecureString using DPAPI to save to disk without first converting to an unsecured string?

I would like to encrypt SecureString using DPAPI to save it to disk.

The .net DPAPI class is the ProtectedData class, however ProtectedData.Protect has a single overload that accepts a byte array. There is no congestion that accepts SecureString.

In Password Encryption in the app.config .NET file , John Galloway uses the aforementioned overload by first converting SecureString to an insecure string. I would like to avoid this because it defeats the goal of using SecureString in the first place.

ConvertFrom-SecureString The PowerShell cmdlet seems to do what I need because "if no key is specified, the Windows Data Protection API (DPAPI) is used to encrypt the standard string representation", but I'm not sure how to use this cmdlet directly from .net or even if it is a good idea.

+4

.net securestring

hwiechers Nov 28 '12 at 8:26

source share

1 answer

hwiechers · Accepted Answer · 2012-12-01T09:26:35+0000

SecureString Blog Post : Nut Soup, Part I by Jeff Griffin shows how this can be done. The approach is to convert SecureString to an unmanaged BSTR, and then use P / Invoke to invoke unmanaged DPAPI functions.

How to encrypt SecureString using DPAPI to save to disk without first converting to an unsecured string?

More articles: