How to convert a string to securestring explicitly


Solution 1

The simplest approach is to iterate over the source string and append one character at a time to the secure string, like so:

var secure = new SecureString();
foreach (char c in textbox1.Text)

Solution 2

Invent once and reuse lots. Create a simple extension method to extend the string base class and store it some static utilities class somewhere

using System.Security;

/// <summary>
/// Returns a Secure string from the source string
/// </summary>
/// <param name="Source"></param>
/// <returns></returns>
public static SecureString ToSecureString(this string source)
    if (string.IsNullOrWhiteSpace(source))
        return null;
        SecureString result = new SecureString();
        foreach (char c in source.ToCharArray())
        return result;

and then call as follows:


Solution 3

You should make the SecureString readonly. So the code should look like this:

static class SecureStringExtensions
    public static string ToUnsecureString(this SecureString secureString)
        if (secureString == null) throw new ArgumentNullException("secureString");

        var unmanagedString = IntPtr.Zero;
            unmanagedString = Marshal.SecureStringToGlobalAllocUnicode(secureString);
            return Marshal.PtrToStringUni(unmanagedString);

    public static SecureString ToSecureString(this string unsecureString)
        if (unsecureString == null) throw new ArgumentNullException("unsecureString");

        return unsecureString.Aggregate(new SecureString(), AppendChar, MakeReadOnly);

    private static SecureString MakeReadOnly(SecureString ss)
        return ss;

    private static SecureString AppendChar(SecureString ss, char c)
        return ss;

Solution 4

It may be a little late but you can convert SecureString to String this way either

using System.Security;
/// <summary>
/// Converts String to SecureString
/// </summary>
/// <param name="input">Input in String</param>
/// <returns>Input in SecureString</returns>
public SecureString String2SecureString(String input) {
    SecureString _output = new SecureString();
    input.ToCharArray().ToList().ForEach((q) => _output.AppendChar(q));
    return _output;

although it all the same as Balazs Tihanyi's answer:

Google is your friend...

var secure = new SecureString(); 
foreach(char c in textbox1.Text) 

Solution 5

I'm supprised nobody metioned about SecureString constructor taking pointer to char array.

public static SecureString ToSecureString(this string source)
    char[] charArray = source.ToCharArray();
        fixed (char* chars = charArray)
            return new SecureString(chars, charArray.Length);

Note that this code only works with /unsafe compiler option. To set this option go to project properties, Build tab and check Allow unsafe code checkbox.

Indish Cholleti
Author by

Indish Cholleti

Freelancer and Software developer

Updated on March 24, 2020


  • Indish Cholleti
    Indish Cholleti over 4 years

    I want the text entered in the textbox to be converted to securestring in c#.