menu
SecurePasswordCrypt: Secure AES-GCM Encryption & Password Hashing for .NET Projects

SecurePasswordCrypt: Secure AES-GCM Encryption & Password Hashing for .NET Projects

posted Originally published at dev.to 2 min read

Managing secrets—connection strings, API keys, user passwords—can quickly become a headache, especially when you need to ship background jobs, microservices or CI/CD pipelines. Plaintext secrets in code or configuration are a liability.

Enter SecurePasswordCrypt, a lightweight, self-contained .NET library that brings together:

  • AES-GCM encryption/decryption (authenticated encryption)
  • PBKDF2 (Rfc2898) key derivation with 100,000 iterations
  • SHA-256-based password hashing and constant-time verification

This package helps you store, transport and verify secrets safely in any .NET application—console, web, Azure Function, background worker… even within your CI/CD pipeline.

Introduction

Install directly from NuGet:

dotnet add package SecurePasswordCrypt

Or browse the package page: Nuget.org

Grab the latest source or contribute on GitHub: Github

Quick Start

Encrypt / Decrypt

using SecurePasswordCrypt;

string secret = "MySuperSecretValue";
string masterKey = "UltraSecureMasterKey123";

// Encrypt
string cipherText = CryptoService.Encrypt(secret, masterKey);

// Decrypt
string plainText = CryptoService.Decrypt(cipherText, masterKey);
Console.WriteLine(plainText); // "MySuperSecretValue"

Hash / Verify Passwords

// Hash user password for storage
string userPwd = "UserPassword!";
string storedHash = CryptoService.HashPassword(userPwd);

// Later, verify login
bool isValid = CryptoService.VerifyPassword("UserPassword!", storedHash);
Console.WriteLine(isValid); // true

Under the Hood

  1. PBKDF2 derives a strong 256-bit key from your password + random salt (16 bytes). 100,000 iterations slow down brute-force.
  2. AES-GCM uses that key to encrypt data with:
    • 96-bit random nonce
    • 128-bit authentication tag (detects tampering)
  3. The encrypted payload is packaged as Base64:
    [ salt | nonce | tag | ciphertext ]
  4. For password hashing, the library generates a new salt and stores:
    [ salt + derivedKey ] as Base64
  5. Constant-time comparison prevents timing attacks when verifying.

Integration Tips

  • Class Library: Reference the NuGet package or add as project reference.
  • Configuration: Keep your master key in a secure vault (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault). Retrieve it at runtime.
  • Connection Strings: Encrypt your DB password, store the cipher in config, decrypt on startup.
  • CI/CD: Combine with GitHub Actions or Azure Pipelines to encrypt secrets and publish packages.

Contribute & Feedback

Happy coding, and may your secrets stay secret!

Published on CODERLEGION by Alwil17

Nice work, Alwil17! Super handy tool for keeping secrets safe in .NET apps. Curious—how do you handle key rotation securely without breaking existing encrypted data?

0 votes

Thanks James !!!
Currently, key rotation is not natively handled by the library, but here’s how you can approach it:

  • Key Identifiers: When encrypting data, you can prepend or store a key identifier (e.g., key version or GUID) alongside the ciphertext. When decrypting, use this identifier to look up the correct key.
  • Supporting Multiple Keys: During the rotation process, the application should maintain access to both the new key and previous keys, so existing data remains decryptable.
  • Migration Strategy: For sensitive or frequently accessed data, you can re-encrypt using the new key during reads (lazy migration), or run a batch process to re-encrypt all existing data.

I'm considering adding built-in support for key versioning and seamless rotation in a future release. If you have a particular use case or idea, I'd love to hear it!

0 votes

More Posts

Getting a quick view of your .NET Solution

tsgiannis - Dec 10, 2025

️ From Spaghetti to Scalable: Refactoring a Legacy .NET App Architecture

hessam - Nov 22, 2025

Understanding MediatR Assembly Registration in .NET

Moses Korir - Jul 4, 2025

What's New in .NET Aspire 9.1

Barret Blake - Mar 13, 2025

Google Drive Sync

Pocket Portfolio - Jan 5
chevron_left