It appears the two parameter constructor is not meant to be used by your code. The documentation isn't clear but its use of the phrase Initializes a new instance of the SecureString class from a subarray of System.Char objects
tells me it's probably copying the data, not encrypting the existing string in place. This would make sense since the documentation for SecureString
specifically mentions a String
cannot be destroyed in a deterministic way.
A good way to test this theory would be to compare the addresses of input
and secure
to see if they still point to the same location in memory after the initialization.