Does PersistKeyInCsp=false; and Clear() method zero memory?

Question

According to .NET documentation:

RSAalg.PersistKeyInCsp = false;  
RSAalg.Clear(); 

Above snippet deletes the key from CSP. But I cannot find any information either the memory where private key is stored is securely zeroed once the key is deleted. I looked at the .NET code and Clear() method disposes the object only. In fact, there is ClearPrivateParameters method, but it's private one, and is not used in Clear() at all. Moreover, here we can see that PersistKeyInCsp is not used by anything (there is no reference found in the project) - looks like dead code(?) Am I right, that memory is not zeroed?

Answer 1

Hi,

You are right, Clear() does not have a memory zeroing function. From the documentation, Clear() calls Dispose() and GC.SuppressFinalize(). Dispose(true) will dispose of all resources used by the object and set them to null, then suppress the object's finalizer by calling GC.SuppressFinalize(this) . It just frees any unmanaged resources, but it doesn't guarantee that the managed memory used by the object will be zeroed out.

Best regards,

Wenbin Geng

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.