SecurePasswordCrypt: Secure AES-GCM Encryption & Password Hashing for .NET Projects

Question

Managing secrets—connection strings, API keys, user passwords—can quickly become a headache, especially when you need to ship background jobs, microservices or CI/CD pipelines. Plaintext secrets in code or configuration are a liability.

Enter SecurePasswordCrypt, a lightweight, self-contained .NET library that brings together:

• AES-GCM encryption/decryption (authenticated encryption)
• PBKDF2 (Rfc2898) key derivation with 100,000 iterations
• SHA-256-based password hashing and constant-time verification

This package helps you store, transport and verify secrets safely in any .NET application—console, web, Azure Function, background worker… even within your CI/CD pipeline.

Introduction

Install directly from NuGet:

dotnet add package SecurePasswordCrypt

Or browse the package page: Nuget.org

Grab the latest source or contribute on GitHub: Github

Quick Start

Encrypt / Decrypt

using SecurePasswordCrypt;

string secret = "MySuperSecretValue";
string masterKey = "UltraSecureMasterKey123";

// Encrypt
string cipherText = CryptoService.Encrypt(secret, masterKey);

// Decrypt
string plainText = CryptoService.Decrypt(cipherText, masterKey);
Console.WriteLine(plainText); // "MySuperSecretValue"

Hash / Verify Passwords

// Hash user password for storage
string userPwd = "UserPassword!";
string storedHash = CryptoService.HashPassword(userPwd);

// Later, verify login
bool isValid = CryptoService.VerifyPassword("UserPassword!", storedHash);
Console.WriteLine(isValid); // true

Under the Hood

1. PBKDF2 derives a strong 256-bit key from your password + random salt (16 bytes). 100,000 iterations slow down brute-force.
2. AES-GCM uses that key to encrypt data with:
   • 96-bit random nonce
   • 128-bit authentication tag (detects tampering)
3. The encrypted payload is packaged as Base64:

   [ salt | nonce | tag | ciphertext ]
   

4. For password hashing, the library generates a new salt and stores:

   [ salt + derivedKey ] as Base64
   

5. Constant-time comparison prevents timing attacks when verifying.

Integration Tips

• Class Library: Reference the NuGet package or add as project reference.
• Configuration: Keep your master key in a secure vault (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault). Retrieve it at runtime.
• Connection Strings: Encrypt your DB password, store the cipher in config, decrypt on startup.
• CI/CD: Combine with GitHub Actions or Azure Pipelines to encrypt secrets and publish packages.

Contribute & Feedback

• Issues & PRs: https://github.com/Alwil17/SecurePasswordCrypt
• Feature Requests: Open an issue and describe your use case.
• Stars & Follows: Encouraged!

Happy coding, and may your secrets stay secret!

Published on CODERLEGION by Alwil17