Security might feel like a big, scary topic, but you can make a lot of progress with a few solid habits. In this guide I’ll walk you through the practical parts of C# security — how to protect data at rest and in transit, where to store secrets, and how to use the .NET crypto APIs safely. Expect short, focused examples and clear explanations so you can apply them right away.
Understanding Data Security in C#
Think of security in two buckets: data at rest (stuff stored on disk or in your DB) and data in transit (stuff moving over the network). You need to protect both — unencrypted data at rest can leak from a stolen backup, and unencrypted traffic can be eavesdropped on the wire.
Encrypting Data at Rest
Encryption at rest means if someone copies your database file, they still can't read it without the key. In
.NET, System.Security.Cryptography gives you safe building blocks for symmetric (fast) and asymmetric
(public-key) encryption.
Using AES for File Encryption
AES (Advanced Encryption Standard) is a widely used symmetric encryption algorithm. Symmetric means the same key is used to encrypt and decrypt data. Here's an example demonstrating AES encryption of a text file:
using System.Security.Cryptography;
using System.Text;
using System.IO;
// Sample method to encrypt text
public static void EncryptFile(string inputFile, string outputFile, byte[] key, byte[] iv)
{
using Aes aes = Aes.Create();
aes.Key = key;
aes.IV = iv;
using FileStream fsOut = new FileStream(outputFile, FileMode.Create);
using CryptoStream cs = new CryptoStream(fsOut, aes.CreateEncryptor(), CryptoStreamMode.Write);
using StreamWriter sw = new StreamWriter(cs);
string text = File.ReadAllText(inputFile);
sw.Write(text);
}
// Sample usage
byte[] key = Aes.Create().Key; // In production, securely generate/store key
byte[] iv = Aes.Create().IV;
EncryptFile("plaintext.txt", "encrypted.txt", key, iv);
Short explanation: we create an AES encryptor, then pipe file bytes through a CryptoStream to write
encrypted data. Don't hard-code keys — use a secure secret store like Azure Key Vault or the platform's
protected storage.
Decrypting the Data
public static void DecryptFile(string inputFile, string outputFile, byte[] key, byte[] iv)
{
using Aes aes = Aes.Create();
aes.Key = key;
aes.IV = iv;
using FileStream fsIn = new FileStream(inputFile, FileMode.Open);
using CryptoStream cs = new CryptoStream(fsIn, aes.CreateDecryptor(), CryptoStreamMode.Read);
using StreamReader sr = new StreamReader(cs);
string decrypted = sr.ReadToEnd();
File.WriteAllText(outputFile, decrypted);
}
// Sample usage
DecryptFile("encrypted.txt", "decrypted.txt", key, iv);Decryption is the reverse process: supply the same key and IV and read the plaintext back. Symmetric crypto is fast and a good fit when both sides can keep the key secret.
Encrypting Data in Transit
Protect data in transit using TLS (HTTPS). .NET's HttpClient uses TLS by default — that's your first defense.
For lower-level control (sockets), use SslStream.
Using HttpClient with HTTPS
Here's a simple example of making secure HTTPS requests:
using System.Net.Http;
// Create HttpClient
using HttpClient client = new HttpClient();
client.BaseAddress = new Uri("https://secureapi.example.com/");
// Make GET request
HttpResponseMessage response = await client.GetAsync("/data");
response.EnsureSuccessStatusCode();
string responseData = await response.Content.ReadAsStringAsync();
Console.WriteLine(responseData);
By default HttpClient validates server certificates — don't disable that unless you have a very good reason.
If you need extra checks (pinning, custom policies), use HttpClientHandler carefully.
Using SslStream for Low-Level Control
using System.Net.Security;
using System.Net.Sockets;
// Connect to server
using TcpClient client = new TcpClient("example.com", 443);
using SslStream sslStream = new SslStream(client.GetStream(), false,
new RemoteCertificateValidationCallback((sender, cert, chain, errors) => true)));
sslStream.AuthenticateAsClient("example.com");
// Send data
byte[] message = System.Text.Encoding.UTF8.GetBytes("Hello secure world");
sslStream.Write(message);
SslStream is for when you need low-level control over TLS (certificate callbacks, custom
authentication). It's powerful, but usually not necessary for standard HTTP APIs.
Secure Credential Storage
Secrets (passwords, API keys) need careful handling. Never store secrets in code or checked-in config files. Use platform secret stores during production and local secret tools while developing.
Using Windows DPAPI
DPAPI is a simple way to encrypt data tied to the current user or machine on Windows. It's handy for local scenarios, but for cloud apps prefer managed key vaults.
using System.Security.Cryptography;
using System.Text;
// Encrypt
byte[] plaintext = Encoding.UTF8.GetBytes("SuperSecretPassword");
byte[] encrypted = ProtectedData.Protect(plaintext, null, DataProtectionScope.CurrentUser);
// Decrypt
byte[] decrypted = ProtectedData.Unprotect(encrypted, null, DataProtectionScope.CurrentUser);
Console.WriteLine(Encoding.UTF8.GetString(decrypted));In short: DPAPI binds encrypted data to a user or machine account. If the file leaks, an attacker still can't decrypt it without access to that account.
Using Secret Manager and Key Vault
For apps, use Secret Manager for local dev and a cloud key vault (Azure Key Vault, AWS Secrets Manager) in production. Those services handle rotation, access policies, and auditing.
// Add secrets from Azure Key Vault
var builder = WebApplication.CreateBuilder(args);
builder.Configuration.AddAzureKeyVault(
new Uri("https://myvault.vault.azure.net/"),
new DefaultAzureCredential());
string dbPassword = builder.Configuration["DatabasePassword"];Centralized secret stores help you rotate keys, grant least privilege, and avoid accidental exposures.
.NET Security APIs Overview
.NET exposes cryptography through System.Security.Cryptography. Use these well-tested APIs rather
than attempting to implement crypto yourself.
The core primitives you'll frequently use are symmetric encryption (for example Aes), asymmetric
encryption (RSA or ECDsa), cryptographic hashing (SHA256,
SHA512
and HMAC), and digital signatures for signing and verifying messages.
Example: Digital Signature
using System.Security.Cryptography;
using System.Text;
byte[] message = Encoding.UTF8.GetBytes("Important message");
// Generate key pair
using RSA rsa = RSA.Create();
byte[] signature = rsa.SignData(message, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
// Verify signature
bool isValid = rsa.VerifyData(message, signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
Console.WriteLine($"Signature valid: {isValid}");Digital signatures let you prove a message came from a specific private key and wasn't changed in transit — great for verifying payloads or software artifacts.
Advanced Security Practices
A few practical best practices to remember: generate strong, random keys for encryption and apply proper salting and a slow hashing function for passwords. Enforce least privilege for service accounts, guard against replay and timing attacks, and always validate input to reduce injection risks.
Security Testing and Auditing
Security is a process — test and audit regularly. Useful practices include running static code analyzers to find vulnerabilities early, performing penetration tests on deployed systems, doing threat modeling to spot risks up front, and adding unit tests around cryptography and secret handling to avoid regressions.
Summary
To sum up: we've covered the practical parts of C# security — encrypting data, keeping traffic safe with TLS, and storing secrets properly. The built-in crypto APIs are powerful when used correctly, so prefer them over custom code.
Start small: add hashing with salt for passwords, use HTTPS everywhere, and move secrets to a vault. Over time these habits will make your apps much safer with minimal ongoing effort.