On Fri, Apr 6, 2012 at 6:28 PM, Ben Scott <[email protected]> wrote: > That seems icky. > > Conventional wisdom is that one does any security-sensitive storage > in memory pages "locked" in RAM. I.e., you allocate some memory, and > then tell the OS not to write that memory to disk for any reason. > When done, zero the page(s). > > Reading the docs for SecureString, I can only presume .NET doesn't > have a way to do that. Pity.
You can pin and zero memory in .NET if you really want to, but the point I was trying to make is that SecureString doesn't address the problem of key management. It is however useful for 1) keeping the secret encrypted at rest from other processes and useless in a memory dump (yeah, unless something is actively using it and turned it back into a BSTR for a moment), and 2) preventing most users from errantly writing the password into a logfile or serializing it into a web service response, etc.. --Steve ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
