It is a good practice to wipe keys and other secrets from memory after use. This practice is generally followed in .NET framework cryptography-related classes.
However, AesCryptoServiceProvider makes a copy of key and IV into temporary buffers prior to submitting them to the CryptoAPI, and never clears these temporary buffers, leaving the sensitive data in memory.
public override ICryptoTransform CreateDecryptor(byte key, byte iv)
byte buffer = (byte) key.Clone();
byte buffer2 = null;
if (iv != null)
buffer2 = (byte) iv.Clone();
using (SafeCapiKeyHandle handle = CapiNative.ImportSymmetricKey(this.m_cspHandle, GetAlgorithmId(buffer.Length * 8), buffer))
return this.CreateDecryptor(handle, buffer2);