I read this tutorial about encryption in .NET
it uses Rfc2898DeriveBytes to create a random key to be used by symmetric algorithm . but it doesn't save the key . and later in decryption method it supplies the same password and salt and decrypts the text .
does it mean supplying the same salt and password to Rfc2898DeriveBytes could derived the same key ? no need to save the key and just save salt and password ?
Yes, that is correct. Identical inputs to Rfc2898DeriveBytes provide identical outputs. Otherwise, decryption would not be possible.
The article you reference uses the term "random" loosely. The output of Rfc2898DeriveBytes is not random: but it has high entropy.