Enigma.Cryptography 5.0.0

dotnet add package Enigma.Cryptography --version 5.0.0
                    
NuGet\Install-Package Enigma.Cryptography -Version 5.0.0
                    
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Enigma.Cryptography" Version="5.0.0" />
                    
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="Enigma.Cryptography" Version="5.0.0" />
                    
Directory.Packages.props
<PackageReference Include="Enigma.Cryptography" />
                    
Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add Enigma.Cryptography --version 5.0.0
                    
#r "nuget: Enigma.Cryptography, 5.0.0"
                    
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package Enigma.Cryptography@5.0.0
                    
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=Enigma.Cryptography&version=5.0.0
                    
Install as a Cake Addin
#tool nuget:?package=Enigma.Cryptography&version=5.0.0
                    
Install as a Cake Tool

Enigma.Cryptography

NuGet Downloads License: MIT

A comprehensive .NET cryptography library built on top of BouncyCastle.Cryptography, providing a clean and easy-to-use API for common cryptographic operations.

What's new in 5.0 — RSA-OAEP encryption, selectable PBKDF2 PRF, X.509 CRL revocation checking, and net10.0 added to the target frameworks. This is a major release with breaking changes (Argon2 enum parameters, factory-method renames, UTF-8 default in EncodingExtensions, and more). See the release notes for the full migration guide.

Features

  • Block Ciphers — AES, DES, 3DES, Blowfish, Twofish, Serpent, Camellia, and more (CBC, ECB, GCM, SIC/CTR modes)
  • Stream Ciphers — ChaCha20, ChaCha20-RFC7539, Salsa20
  • Public-Key Cryptography — RSA encryption, signing, and PEM key management
  • Post-Quantum Cryptography — ML-DSA (CRYSTALS-Dilithium) and ML-KEM (CRYSTALS-Kyber)
  • X.509 Certificates — Self-signed generation, CSR creation, certificate issuance, PEM/DER/PFX support, chain validation
  • Hashing — MD5, SHA-1, SHA-256, SHA-512, SHA-3
  • HMAC — HMAC-SHA1, HMAC-SHA256, HMAC-SHA512 (byte-array and streaming)
  • One-Time Passwords — HOTP (RFC 4226), TOTP (RFC 6238), and otpauth:// provisioning URIs
  • Key Derivation — PBKDF2 and Argon2
  • Padding — PKCS7, ISO 7816-4, ISO 10126, X9.23
  • Data Encoding — Base64, hexadecimal, and Base32 (RFC 4648) encoding/decoding

Async, progress reporting & cancellation

Stream-based modules (Block Ciphers, Stream Ciphers, Hashing) are fully async and accept optional IProgress<int> and CancellationToken parameters for progress reporting and cooperative cancellation:

var cts = new CancellationTokenSource();
var progress = new Progress<int>(bytesProcessed =>
    Console.WriteLine($"Processed {bytesProcessed} bytes"));

await service.EncryptAsync(input, output, parameters, progress, cts.Token);

Progress reports per-chunk byte deltas (not cumulative totals), making it straightforward to build progress bars for large-file processing.

Installation

dotnet add package Enigma.Cryptography

Supported target frameworks: netstandard2.0, net8.0, and net10.0. Built on BouncyCastle.Cryptography 2.6.2.


Desktop application (GUI)

The repository also ships Enigma.Cryptography.Desktop, an Avalonia desktop app that exercises the whole library through one page per module — a hands-on way to try every algorithm without writing code. It uses the library directly via a project reference (dogfooding), so it always tracks the in-development API.

Run it from the repository root:

dotnet run --project src/Enigma.Cryptography.Desktop

Pages:

  • Block Cipher / Stream Cipher — symmetric encryption/decryption with file-or-text I/O, progress and cancel.
  • Hash / HMAC — digests and keyed digests over text or files.
  • KDF — PBKDF2 and Argon2 key derivation.
  • Data Encoding — Base64, Hex and Base32 encode/decode.
  • Random Bytes — cryptographically secure random generation.
  • Padding — PKCS7, ISO 7816-4, ISO 10126 and X9.23 pad/unpad.
  • Stream Tools — build and inspect length-value / tag-length-value containers.
  • OTP — HOTP/TOTP generation and verification plus otpauth:// provisioning URIs.
  • Keys / RSA — RSA key management (PEM) and encrypt/decrypt/sign/verify.
  • Post-Quantum — ML-DSA signatures and ML-KEM key encapsulation.
  • X.509 — self-signed certificates, CSR create/verify, certificate issuance, chain validation, inspection, and PEM/DER/PFX round-trips.

Command-line application (CLI)

The repository also ships Enigma.Cryptography.Cli, a cross-platform command-line tool (assembly/executable name enigma-crypto) that exposes every library module as a scriptable subcommand. Like the desktop app it references the library directly (no shared layer), so it doubles as a direct-usage reference.

Run it from the repository root:

dotnet run --project src/Enigma.Cryptography.Cli -- --help

Commands accept input from an --in file, inline --text/--value arguments, or standard input, and write results as raw bytes (--out) or encoded text on stdout; diagnostics and progress go to standard error, and processes return scriptable exit codes (0 success, 1 cryptographic failure, 2 usage/I/O error, 130 cancelled). Command groups: block, stream, hash, hmac, kdf, encode/decode, pad/unpad, container, rand, hotp/totp/otp, rsa, mldsa/mlkem, and cert.

# Hash stdin, generate an RSA key pair, and run a full X.509 PKI flow
echo -n abc | dotnet run --project src/Enigma.Cryptography.Cli -- hash --algo sha256
dotnet run --project src/Enigma.Cryptography.Cli -- cert self-signed --subject "CN=Example CA, O=Acme" --out ca.pem --key-out ca.key

See src/Enigma.Cryptography.Cli/README.md for the full command reference — per-command option and exit-code tables, examples, and self-contained publish commands.


Block ciphers

Supported algorithms

Cipher Name Block Size (bits) Supported Key Size(s) (bits) Notes
AES 128 128, 192, 256 Current global standard. Recommended for new applications.
DES 64 56 (effective) Insecure. Broken due to small key size. Do not use.
3DES (TripleDES) 64 112, 168 (effective) Slow, small block size. Largely superseded by AES. Use with caution.
Blowfish 64 32 - 448 (variable) Older cipher, 64-bit block size can be problematic (Sweet32).
Twofish 128 128, 192, 256 AES finalist. Strong, but less widely adopted than AES.
Serpent 128 128, 192, 256 AES finalist. Known for conservative security margin, slower in software.
Camellia 128 128, 192, 256 ISO/NESSIE/CRYPTREC standard. Similar performance/security to AES.
CAST-128 (CAST5) 64 40 - 128 (variable) Used in older PGP/GPG. 64-bit block size limitation.
IDEA 64 128 Used in older PGP. Patented until ~2012. 64-bit block size limit.
SEED 128 128 South Korean standard.
ARIA 128 128, 192, 256 South Korean standard, successor to SEED.
SM4 128 128 Chinese national standard.

Classes

  • BlockCipherService — Service for encryption/decryption with block ciphers
  • BlockCipherServiceFactoryIBlockCipherService factory
  • BlockCipherEngineFactoryIBlockCipher factory
  • BlockCipherPaddingFactoryIBlockCipherPadding factory
  • BlockCipherParametersFactoryICipherParameters factory

Usage

Create a block cipher service with an algorithm string:

var service = new BlockCipherService("AES/CBC/PKCS7Padding");
// or without padding:
var service = new BlockCipherService("AES/CBC/NoPadding");

Create a block cipher service with factories:

var engineFactory = new BlockCipherEngineFactory();
var paddingFactory = new BlockCipherPaddingFactory();

// With padding
var service = new BlockCipherServiceFactory().CreateCbcService(engineFactory.CreateAesEngine, paddingFactory.CreatePkcs7Padding);

// Without padding
var service = new BlockCipherServiceFactory().CreateCbcService(engineFactory.CreateAesEngine);

AES-256 GCM example

var service = new BlockCipherService("AES/GCM");

var key = RandomUtils.GenerateRandomBytes(32);
var nonce = RandomUtils.GenerateRandomBytes(12);
var parameters = new BlockCipherParametersFactory().CreateGcmParameters(key, nonce, "associated data".GetUtf8Bytes());

var data = "This is a secret message !".GetUtf8Bytes();

// Encrypt
using var inputEnc = new MemoryStream(data);
using var outputEnc = new MemoryStream();
await service.EncryptAsync(inputEnc, outputEnc, parameters);

var encrypted = outputEnc.ToArray();

// Decrypt
using var inputDec = new MemoryStream(encrypted);
using var outputDec = new MemoryStream();
await service.DecryptAsync(inputDec, outputDec, parameters);

var decrypted = outputDec.ToArray();

AES-256 CBC example

var service = new BlockCipherService("AES/CBC/PKCS7Padding");

var key = RandomUtils.GenerateRandomBytes(32);
var iv = RandomUtils.GenerateRandomBytes(16);
var parameters = new BlockCipherParametersFactory().CreateCbcParameters(key, iv);

var data = "This is a secret message !".GetUtf8Bytes();

// Encrypt
using var inputEnc = new MemoryStream(data);
using var outputEnc = new MemoryStream();
await service.EncryptAsync(inputEnc, outputEnc, parameters);

var encrypted = outputEnc.ToArray();

// Decrypt
using var inputDec = new MemoryStream(encrypted);
using var outputDec = new MemoryStream();
await service.DecryptAsync(inputDec, outputDec, parameters);

var decrypted = outputDec.ToArray();

Stream ciphers

Supported algorithms

Cipher Name Key Size (bits) Nonce Size (bits) Notes
ChaCha20 256 64 High-performance software cipher.
ChaCha20-RFC7539 256 96 IETF variant of ChaCha20 (RFC 7539 / RFC 8439).
Salsa20 128, 256 64 Predecessor to ChaCha20.

Classes

  • StreamCipherService — Service for encryption/decryption with stream ciphers
  • StreamCipherServiceFactoryIStreamCipherService factory

ChaCha20-RFC7539 example

var service = new StreamCipherServiceFactory().CreateChaCha7539Service();

var key = RandomUtils.GenerateRandomBytes(32);
var nonce = RandomUtils.GenerateRandomBytes(12);

var data = "This is a secret message !".GetUtf8Bytes();

// Encrypt
using var inputEnc = new MemoryStream(data);
using var outputEnc = new MemoryStream();
await service.EncryptAsync(inputEnc, outputEnc, key, nonce);

var encrypted = outputEnc.ToArray();

// Decrypt
using var inputDec = new MemoryStream(encrypted);
using var outputDec = new MemoryStream();
await service.DecryptAsync(inputDec, outputDec, key, nonce);

var decrypted = outputDec.ToArray();

Public-key cryptography

Classes

  • PublicKeyService — Service for public-key encryption/decryption and signing/verifying
  • PublicKeyServiceFactoryIPublicKeyService factory

RSA example

var service = new PublicKeyServiceFactory().CreateRsaService();

// Generate a 4096-bit key pair
var keyPair = service.GenerateKeyPair(4096);

var data = "This is a secret message".GetUtf8Bytes();

// Encrypt/decrypt with PKCS#1 v1.5 (the service created above)
var enc = service.Encrypt(data, keyPair.Public);
var dec = service.Decrypt(enc, keyPair.Private);

// For new applications, prefer OAEP (SHA-256 by default) over PKCS#1 v1.5:
var oaep = new PublicKeyServiceFactory().CreateRsaOaepService(); // or CreateRsaOaepService(RsaOaepHash.Sha512)
var encOaep = oaep.Encrypt(data, keyPair.Public);
var decOaep = oaep.Decrypt(encOaep, keyPair.Private);

// Sign/verify
var signature = service.Sign(data, keyPair.Private);
var verified = service.Verify(data, signature, keyPair.Public);

// Save public key in PEM format
using var publicOutput = new MemoryStream();
PemUtils.SaveKey(keyPair.Public, publicOutput);

// Save and encrypt private key in PEM format
using var privateOutput = new MemoryStream();
PemUtils.SavePrivateKey(keyPair.Private, privateOutput, "yourpassword", algorithm: "AES-256-CBC");

// Load public key from PEM
using var publicInput = new MemoryStream(publicOutput.ToArray());
var publicKey = PemUtils.LoadKey(publicInput);

// Load and decrypt private key from PEM
using var privateInput = new MemoryStream(privateOutput.ToArray());
var privateKey = PemUtils.LoadPrivateKey(privateInput, "yourpassword");

Post-Quantum Cryptography (PQC)

Classes

  • MLDsaService — Module-Lattice-Based digital signature algorithm (ML-DSA / CRYSTALS-Dilithium)
  • MLDsaServiceFactoryIMLDsaService factory
  • MLKemService — Module-Lattice-Based key-encapsulation mechanism (ML-KEM / CRYSTALS-Kyber)
  • MLKemServiceFactoryIMLKemService factory

ML-DSA example

var service = new MLDsaServiceFactory().CreateDsa65Service(); // deterministic: false (default)

var keyPair = service.GenerateKeyPair();

var data = "Data to sign".GetUtf8Bytes();

// Sign/verify
var signature = service.Sign(data, keyPair.Private);
var verified = service.Verify(data, signature, keyPair.Public);

// Save public key in PEM format
using var publicOutput = new MemoryStream();
PemUtils.SaveKey(keyPair.Public, publicOutput);

// Save and encrypt private key in PEM format
using var privateOutput = new MemoryStream();
PemUtils.SavePrivateKey(keyPair.Private, privateOutput, "yourpassword", algorithm: "AES-256-CBC");

// Load public key from PEM
using var publicInput = new MemoryStream(publicOutput.ToArray());
var publicKey = PemUtils.LoadKey(publicInput);

// Load and decrypt private key from PEM
using var privateInput = new MemoryStream(privateOutput.ToArray());
var privateKey = PemUtils.LoadPrivateKey(privateInput, "yourpassword");

ML-KEM example

var service = new MLKemServiceFactory().CreateKem1024Service();

var keyPair = service.GenerateKeyPair();

// Encapsulate a shared secret
var (encapsulation, secret) = service.Encapsulate(keyPair.Public);

// Decapsulate the shared secret
var secretDec = service.Decapsulate(encapsulation, keyPair.Private);

// Save public key in PEM format
using var publicOutput = new MemoryStream();
PemUtils.SaveKey(keyPair.Public, publicOutput);

// Save and encrypt private key in PEM format
using var privateOutput = new MemoryStream();
PemUtils.SavePrivateKey(keyPair.Private, privateOutput, "yourpassword", algorithm: "AES-256-CBC");

// Load public key from PEM
using var publicInput = new MemoryStream(publicOutput.ToArray());
var publicKey = PemUtils.LoadKey(publicInput);

// Load and decrypt private key from PEM
using var privateInput = new MemoryStream(privateOutput.ToArray());
var privateKey = PemUtils.LoadPrivateKey(privateInput, "yourpassword");

X.509 Certificates

Classes

  • X509CertificateService — Service for certificate generation, CSR creation, certificate issuance, and chain validation
  • X509CertificateServiceFactoryIX509CertificateService factory
  • X509Utils — Static utilities for loading, saving, and inspecting certificates (PEM, DER, PFX)
  • CertificateInfo — Read-only certificate information (subject, issuer, validity, extensions, etc.)

Self-signed certificate example

var certService = new X509CertificateServiceFactory().CreateX509CertificateService();
var rsaService = new PublicKeyServiceFactory().CreateRsaService();

// Generate RSA key pair and self-signed certificate
var keyPair = rsaService.GenerateKeyPair(2048);
var cert = certService.GenerateSelfSignedCertificate(
    keyPair,
    new X509Name("CN=example.com,O=MyOrg"),
    DateTime.UtcNow.AddDays(-1),
    DateTime.UtcNow.AddYears(1),
    keyUsage: KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment,
    basicConstraintsCa: false,
    subjectAlternativeNames: new GeneralNames(new GeneralName(GeneralName.DnsName, "example.com")));

// Save certificate to PEM
using var pemOutput = new MemoryStream();
X509Utils.SaveCertificateToPem(cert, pemOutput);

// Load certificate from PEM
using var pemInput = new MemoryStream(pemOutput.ToArray());
var loaded = X509Utils.LoadCertificateFromPem(pemInput);

// Save/load certificate in DER format
var derBytes = X509Utils.SaveCertificate(cert);
var fromDer = X509Utils.LoadCertificate(derBytes);

// Export to PFX (certificate + private key)
var pfxData = X509Utils.ExportToPfx("mycert", cert, keyPair.Private, "password");

// Import from PFX
var (pfxCert, pfxKey) = X509Utils.LoadFromPfx(pfxData, "password");

// Inspect certificate
var info = X509Utils.GetCertificateInfo(cert);
Console.WriteLine($"Subject: {info.Subject}");
Console.WriteLine($"Valid: {info.NotBefore} - {info.NotAfter}");
Console.WriteLine($"Is CA: {info.IsCa}");

CSR and certificate issuance example

var certService = new X509CertificateServiceFactory().CreateX509CertificateService();
var rsaService = new PublicKeyServiceFactory().CreateRsaService();

// Create a CA
var caKeyPair = rsaService.GenerateKeyPair(2048);
var caCert = certService.GenerateSelfSignedCertificate(
    caKeyPair,
    new X509Name("CN=My CA"),
    DateTime.UtcNow.AddDays(-1),
    DateTime.UtcNow.AddYears(10),
    keyUsage: KeyUsage.KeyCertSign | KeyUsage.CrlSign,
    basicConstraintsCa: true);

// Generate a CSR for a leaf certificate
var leafKeyPair = rsaService.GenerateKeyPair(2048);
var csr = certService.GenerateCsr(leafKeyPair, new X509Name("CN=leaf.example.com"));

// Issue the certificate from the CSR
var leafCert = certService.IssueCertificate(
    csr, caKeyPair, new X509Name("CN=My CA"),
    DateTime.UtcNow.AddDays(-1),
    DateTime.UtcNow.AddYears(1),
    keyUsage: KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment,
    basicConstraintsCa: false);

// Validate the chain (signature, trust anchor, path, and validity period).
// Revocation is NOT checked by default; pass CRLs to enable it:
//   certService.ValidateChain(leafCert, new[] { caCert }, crls);
var isValid = certService.ValidateChain(leafCert, new[] { caCert });

Hashing

Supported algorithms

Algorithm Output Size (bits) Notes
MD5 128 Broken. For checksums only, not security use.
SHA-1 160 Deprecated for security use.
SHA-256 256 Widely used. Recommended for most use cases.
SHA-512 512 Stronger variant of SHA-2.
SHA-3 224, 256, 384, 512 Latest NIST standard. Keccak-based.

Classes

  • HashService — Hash service
  • HashServiceFactoryIHashService factory

Usage

var data = "Data to hash".GetUtf8Bytes();

var service = new HashServiceFactory().CreateSha3Service();

using var input = new MemoryStream(data);
var hash = await service.HashAsync(input);

HMAC

Supported algorithms

Algorithm Output Size (bits)
HMAC-SHA1 160
HMAC-SHA256 256
HMAC-SHA512 512

Classes

  • HmacService — HMAC computation service (synchronous byte[] and async streaming)
  • HmacServiceFactoryIHmacService factory

Usage

var key = "shared-secret".GetUtf8Bytes();
var service = new HmacServiceFactory().CreateHmacSha256Service(key);

// Byte array
var mac = service.ComputeHmac("message".GetUtf8Bytes());

// Streaming
using var input = new MemoryStream("message".GetUtf8Bytes());
var macFromStream = await service.ComputeHmacAsync(input);

// The key is caller-owned; clear it when no longer needed
Array.Clear(key, 0, key.Length);

One-Time Passwords (HOTP / TOTP)

Counter-based (HOTP, RFC 4226) and time-based (TOTP, RFC 6238) one-time passwords, plus otpauth:// provisioning URIs for enrolling authenticator apps. QR-code image generation is out of scope.

Classes

  • HotpService / HotpServiceFactory — HOTP (RFC 4226), counter-based
  • TotpService / TotpServiceFactory — TOTP (RFC 6238), time-based
  • OtpProvisioning — Static helpers: secret generation, otpauth URI build/parse
  • OtpAuthParameters — Parsed otpauth URI parameters
  • OtpHashAlgorithm — HMAC algorithm selector (Sha1, Sha256, Sha512)

TOTP example

var hotpFactory = new HotpServiceFactory(new HmacServiceFactory());

// Enroll: generate a secret and build a provisioning URI for the authenticator app
var secret = OtpProvisioning.GenerateSecret();
var uri = OtpProvisioning.BuildUri("Example", "alice@example.com", secret);
// otpauth://totp/Example:alice%40example.com?secret=...&issuer=Example&algorithm=SHA1&digits=6&period=30

// Generate and verify codes
var totp = new TotpServiceFactory(hotpFactory).CreateTotpService(secret);
var code = totp.Generate();
var isValid = totp.Verify(code); // default drift window of ±1 time step

// Reject replays using the matched time step
if (totp.Verify(code, window: 1, out var matchedStep))
{
    // accept only if matchedStep is greater than the last accepted step, then store it
}

// Seconds remaining before the current code rolls over
var remaining = totp.GetRemainingSeconds();

// The secret is caller-owned; clear it when no longer needed
Array.Clear(secret, 0, secret.Length);

HOTP example

var secret = OtpProvisioning.GenerateSecret();
var service = new HotpServiceFactory(new HmacServiceFactory()).CreateHotpService(secret);

var code = service.Generate(counter: 0);
var isValid = service.Verify(code, counter: 0, window: 1);

Key Derivation (KDF)

Classes

  • Pbkdf2Service — PBKDF2 key derivation service
  • Pbkdf2ServiceFactoryIPbkdf2Service factory
  • Argon2Service — Argon2 password-based key derivation service
  • Argon2ServiceFactoryIArgon2Service factory

PBKDF2 example

var service = new Pbkdf2Service();

var salt = "5775ada0513d7d7d7316de8d72d1f4d2".FromHexString();

// Derive a 32-byte key from a password and salt
var key = service.GenerateKey(size: 32, password: "yourpassword", salt);

// Select the PRF (HMAC digest); defaults to HMAC-SHA-1 for compatibility,
// HMAC-SHA-256 or stronger is recommended for new use.
var key256 = service.GenerateKey(size: 32, password: "yourpassword", salt, prf: Pbkdf2Prf.HmacSha256);

Argon2 example

var service = new Argon2Service();

var passwordData = "yourpassword".GetUtf8Bytes();
var salt = RandomUtils.GenerateRandomBytes(16);

// Derive a 32-byte key from a password and salt
var key = service.GenerateKey(32, passwordData, salt);

// The caller is responsible for clearing sensitive input when done
Array.Clear(passwordData, 0, passwordData.Length);

Padding

Supported schemes

Scheme Standard Notes
PKCS7 RFC 5652 Most widely used padding scheme.
ISO 7816-4 ISO/IEC 7816-4 Used in smart card applications.
ISO 10126 ISO/IEC 10126 Pads with random bytes; the final byte holds the pad length. Withdrawn/legacy.
X9.23 ANSI X9.23 Pads with zero bytes; the final byte holds the pad length.

Classes

  • NoPaddingService — No-op padding service
  • PaddingService — Padding service
  • PaddingServiceFactoryIPaddingService factory

Usage

var data = "Data to pad".GetUtf8Bytes();

var service = new PaddingServiceFactory().CreatePkcs7Service();

// Pad/unpad with a 16-byte block size
var padded = service.Pad(data, blockSize: 16);
var unpadded = service.Unpad(padded, blockSize: 16);

Data encoding

Classes

  • Base64Service — Base64 encoding/decoding service
  • HexService — Hexadecimal encoding/decoding service
  • Base32Service — Base32 (RFC 4648) encoding/decoding service (padded Encode; Decode tolerant of case, whitespace, and missing padding)

Usage

var data = "This is some data".GetUtf8Bytes();

// Hex encoding
var hex = new HexService();
var hexEncoded = hex.Encode(data);
var hexDecoded = hex.Decode(hexEncoded);

// Base64 encoding
var base64 = new Base64Service();
var base64Encoded = base64.Encode(data);
var base64Decoded = base64.Decode(base64Encoded);

// Base32 encoding
var base32 = new Base32Service();
var base32Encoded = base32.Encode(data);
var base32Decoded = base32.Decode(base32Encoded);

With extension methods:

var data = "This is some data".GetUtf8Bytes();

var hexEncoded = data.ToHexString();
var hexDecoded = hexEncoded.FromHexString();

var base64Encoded = data.ToBase64String();
var base64Decoded = base64Encoded.FromBase64String();

var base32Encoded = data.ToBase32String();
var base32Decoded = base32Encoded.FromBase32String();

Stream extensions

StreamExtensions (namespace Enigma.Cryptography.Extensions) adds typed read/write helpers to any Stream, plus length-value (LV) and tag-length-value (TLV) framing for building and parsing binary containers. Integers are written little-endian, every read fully populates its buffer (partial reads are handled), and both synchronous and ...Async variants are provided.

  • Typed valuesWriteBool/ReadBool, WriteShort/ReadShort and WriteUShort/ReadUShort, WriteInt/ReadInt and WriteUInt/ReadUInt, WriteLong/ReadLong and WriteULong/ReadULong, WriteFloat/ReadFloat, WriteDouble/ReadDouble.
  • Raw bytesWriteBytes(bytes) / ReadBytes(count), plus async WriteByteAsync / ReadByteAsync.
  • Length-ValueWriteLengthValue(value) / ReadLengthValue(maxLength = 10 MB): writes a 4-byte length prefix followed by the bytes; the read guards against negative or oversized lengths.
  • Tag-Length-ValueWriteTagLengthValue(tag, value) / ReadTagLengthValue(maxLength = 10 MB): a ushort tag followed by a length-value block; the read returns a (ushort tag, byte[] value) tuple.
using var stream = new MemoryStream();

// Write a small container: a typed header value, then two tagged fields
stream.WriteInt(1);                                    // e.g. a format version
stream.WriteTagLengthValue(1, "alice".GetUtf8Bytes());
stream.WriteTagLengthValue(2, RandomUtils.GenerateRandomBytes(16));

// Read it back
stream.Position = 0;
var version = stream.ReadInt();                        // 1
var (tag1, value1) = stream.ReadTagLengthValue();      // (1, "alice")
var (tag2, value2) = stream.ReadTagLengthValue();      // (2, 16 random bytes)

Synchronous Stream.WriteByte(byte) / ReadByte() are not provided as extensions — the System.IO.Stream instance methods of those names take precedence. Use those built-ins, or the async WriteByteAsync / ReadByteAsync.


Utilities

The Enigma.Cryptography.Utils namespace holds stateless helpers used throughout the library:

  • RandomUtilsRandomUtils.GenerateRandomBytes(size) returns cryptographically secure random bytes from a thread-local BouncyCastle SecureRandom. Use it for keys, IVs/nonces, and salts (as in the cipher and KDF examples above).
  • PemUtils — load/save PEM-encoded keys (see the Public-key and PQC examples).
  • X509Utils — load/save/inspect X.509 certificates in PEM, DER, and PFX (see the X.509 examples).
// 32 bytes for an AES-256 key, 12 for a GCM nonce
var key = RandomUtils.GenerateRandomBytes(32);
var nonce = RandomUtils.GenerateRandomBytes(12);

Copyright (c) 2026 Josué Clément

Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
.NET Core netcoreapp2.0 was computed.  netcoreapp2.1 was computed.  netcoreapp2.2 was computed.  netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.0 is compatible.  netstandard2.1 was computed. 
.NET Framework net461 was computed.  net462 was computed.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen40 was computed.  tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (3)

Showing the top 3 NuGet packages that depend on Enigma.Cryptography:

Package Downloads
Enigma.Cryptography.DataEncryption

Stream-based encryption and decryption services for .NET, built on Enigma.Cryptography. Supports password-based (PBKDF2, Argon2id), RSA hybrid, and post-quantum ML-KEM-1024 key exchange, combined with AES-256, Twofish-256, Serpent-256, and Camellia-256 in GCM mode.

Enigma.LicenseManager

Software license management library for .NET with RSA and ML-DSA (post-quantum) signature support, device binding, wildcard product matching, and async persistence.

Carbon.Avalonia.Desktop

A comprehensive Avalonia UI control library for .NET desktop applications. Includes navigation, docking, ribbon, editors, calendar/scheduling, and 2D display controls, along with a CollectionView data subsystem and dialog/overlay services. Built on Avalonia 11.3 with Fluent theme (Dark & Light variants), full MVVM support, and dependency injection integration.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
5.0.0 131 7/10/2026
4.4.0 94 7/10/2026
4.3.0 187 4/1/2026
4.2.1 216 3/15/2026
4.2.0 125 3/15/2026
4.1.0 121 3/9/2026
4.0.3 299 11/28/2025
4.0.2 238 10/30/2025
4.0.1 433 8/5/2025
4.0.0 231 7/4/2025
3.5.3 237 6/30/2025
3.5.2 304 4/25/2025
3.5.1 307 4/21/2025
3.5.0 269 4/20/2025
3.4.0 290 4/16/2025
3.3.0 203 4/11/2025
3.2.0 252 4/3/2025
3.1.1 237 3/30/2025
3.1.0 244 3/30/2025

v5.0.0 — major release with breaking changes. Highlights: RSA-OAEP encryption, selectable PBKDF2 PRF, X.509 CRL revocation checking, and net10.0 added to the target frameworks. Breaking: Argon2 int parameters replaced by enums, factory-method renames (Create*Service), EncodingExtensions now defaults to UTF-8 on every TFM, removed dead synchronous stream extensions, and sealed service/factory classes. See RELEASENOTES.md for the full migration guide.