ViewState is one technique asp.net uses to enable the postback model. The state for all controls that are marked runat="server" is stored in this base64 string.

This pluralsite article explains in more depth

If you really want to understand ViewState (not just what it is used for), then you may want to read this fabulous article (which I, unfortunately, am not the author of :-). Beware, though, it is a bit dated, but still a very good read.

View state is a kind of hash map (or at least you can think of it that way) that ASP.NET uses to store all the temporary information about a page - like what options are currently chosen in each select box, what values are there in each text box, which panel are open, etc. You can also use it to store any arbitrary information.

The entire map is serialized and encrypted encoded and kept in a hidden variable that's posted back to the server whenever you take any action on the page that requires a server round trip. This is how you can access the values on the controls from the server code. If you change any value in the server code, that change is made in the view state and sent back to the browser.

Just be careful about how much information you store in the view state, though... it can quickly become bloated and slow to transfer each time to the server and back.

As for encryption, I dont' know how strong it is, but its sure not easily human readable. I wouldn't use it for sensitive information, though. As pointed out in the comments, it's not encrypted at all. Just base encoded, which easily reversible.

Allow me to share with you what I learned today.

What is ViewState?

Microsoft® ASP.NET view state, in a nutshell, is the technique used by an ASP.NET Web page to persist changes to the state of a Web Form across postbacks.

View State stores the value of page controls as a string which is hashed and encoded in some hashing and encoding technology. It only contain information about page and its controls

If I have something like this:

protected void Page_Load(object sender, EventArgs e)
{
    ViewState["UserName"] = "Shubh Dasgupta";
    ViewState["Password"] = "IAmAPassword";
}

The view state of a page is, by default, placed in a hidden form field named __VIEWSTATE.

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" 
     value="/wEPDwULLTE2MTY2ODcyMjkPFgQeCFVzZXJOYW1lBQ5TaHViaCBEYXNndXB0YR4IUGFzc3dvcmQFDElBbUFQYXNzd29yZGRk2/xP37hKKE9jfGYYzFjLuwpi6rHlPdXhfSspF6YRZiI=" />

Read More

How is it encoded? Is it encrypted?

ViewState is Encoded and not Encrypted by default. Lets take the previous input type value are run the below code:

protected void btnDecode_Click(object sender, EventArgs e)
{
    //txtViewState.Text = "/wEPDwULLTE2MTY2ODcyMjkPFgQeCFVzZXJOYW1lBQ5TaHViaCBEYXNndXB0YR4IUGFzc3dvcmQFDElBbUFQYXNzd29yZGRk2/xP37hKKE9jfGYYzFjLuwpi6rHlPdXhfSspF6YRZiI="
    string str = System.Text.Encoding.ASCII.GetString(Convert.FromBase64String(txtViewState.Text));
    lblDecodedString.Text = str;
}

The output for the above code will be ?-1616687229UserNameShubh DasguptaPasswordIAmAPassworffffd??O??J(Oc|f?X?? b???=??}+)?f"

If you read in details of the article I mentioned before, you would come up with the 'Cost Of ViewState' where it is clearly and beautifully written :

On all page visits, during the save view state stage the Page class gathers the collective view state for all of the controls in its control hierarchy and serializes the state to a base-64 encoded string. (This is the string that is emitted in the hidden __VIEWSTATE form filed.) Similarly, on postbacks, the load view state stage needs to deserialize the persisted view state data, and update the pertinent controls in the control hierarchy.

Try it yourself. Download Sample

ViewState's not encrypted as default, using base64 encoding. You may want to use viewstate if your page has an action with controls.

It is a hidden field generated by ASP.NET that contains information about all the controls on the page. Ideally the view state should not need to be encrypted, as it should never contain sensitive information. To indicate that the view state should be encrypted, set the <machineKey> element's validation attribute in the machine.config file to 3DES. There's a nice article on MSDN describing ViewState.