Stratara.Security 3.1.1

.NET 10.0

dotnet add package Stratara.Security --version 3.1.1

NuGet\Install-Package Stratara.Security -Version 3.1.1

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="Stratara.Security" Version="3.1.1" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

<PackageVersion Include="Stratara.Security" Version="3.1.1" />
                    

                            Directory.Packages.props

<PackageReference Include="Stratara.Security" />
                    

                            Project file

For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.

paket add Stratara.Security --version 3.1.1

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: Stratara.Security, 3.1.1"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

#:package Stratara.Security@3.1.1

#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.

#addin nuget:?package=Stratara.Security&version=3.1.1
                    

                            Install as a Cake Addin

#tool nuget:?package=Stratara.Security&version=3.1.1
                    

                            Install as a Cake Tool

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

Stratara.Security

License: FSL-1.1-MIT (Functional Source License — source-available; converts to MIT after 2 years). Not OSI-approved OSS.

Dependency-light key store and envelope encryption for Stratara. Provides a production IKeyStore with KEK-wrapped, versioned per-scope data-encryption keys (rotation, revoke, and crypto-shred), a file-backed master-key provider, and an AES-GCM blob encryptor — referencing only Stratara.Abstractions + BCL crypto. No EF Core, RabbitMQ, Redis, or cloud SDKs in the graph.

Quick start

// appsettings / secrets:
// "Stratara": { "KeyStore": { "MasterKeyBase64": "<openssl rand -base64 32>", "StorePath": "/var/run/secrets/keystore.json" } }

builder.Services.AddStrataraFileKeyStore(builder.Configuration);

// Encrypt a blob bound to a tenant scope + purpose:
var scope = new KeyScope(DataSensitivityLevel.TenantScoped, tenantId: "acme-corp");
await using var encrypted = await encryptor.EncryptAsync(plainStream, scope, purpose: "attachment");
await using var plain = await encryptor.DecryptAsync(encrypted, scope);

What's inside

EnvelopeFileKeyStore (IKeyStore) — random 32-byte DEK per scope/version, KEK-wrapped with AES-256-GCM (wrap AAD bound to the key id, so a wrapped DEK can't be moved to another scope). The store file holds only wrapped DEKs + metadata, never plaintext. RotateAsync adds a version; RevokeAsync makes one version undecryptable; EraseScopeAsync deletes all versions for a scope (GDPR Art. 17 crypto-shred). DEKs are zeroed after use; the store file is written 0600 on Unix.
FileMasterKeyProvider (IMasterKeyProvider) — KEK from MasterKeyBase64, validated to decode to exactly 32 bytes (AES-256) at startup. The custody seam: swap for an HSM / KMS / vault provider later without touching the stored data.
AesGcmSecureBlobEncryptor (ISecureBlobEncryptor) — AES-GCM stream encryption with a purpose-bound AAD ({tenant}||{purpose}) and a versioned, self-describing format (v2 leading byte). Reads legacy streams without the version byte; set Stratara:BlobEncryption:LegacyBlobsCarryPurpose to match the legacy layout.
DummyKeyStore — Development-only deterministic fallback (throws outside Development).

Key id schema

{level}:{tenant}:{user}:v{N} — e.g. TenantScoped:acme-corp::v1. GetOrCreateCurrentKeyAsync returns the highest non-revoked version (creating v1 if none); RotateAsync creates v{N+1}.

Dependencies

Stratara.Abstractions
Stratara.Diagnostics
Microsoft.Extensions.{Configuration,DependencyInjection,Hosting,Logging}.Abstractions
Microsoft.Extensions.Options (+ Options.ConfigurationExtensions)

Product	Compatible and additional computed target framework versions.
.NET	net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed.

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

net10.0
- Microsoft.Extensions.Configuration.Abstractions (>= 10.0.8)
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 10.0.8)
- Microsoft.Extensions.Hosting.Abstractions (>= 10.0.8)
- Microsoft.Extensions.Logging.Abstractions (>= 10.0.8)
- Microsoft.Extensions.Options (>= 10.0.8)
- Microsoft.Extensions.Options.ConfigurationExtensions (>= 10.0.8)
- Stratara.Abstractions (>= 3.1.1)
- Stratara.Diagnostics (>= 3.1.1)

NuGet packages (1)

Showing the top 1 NuGet packages that depend on Stratara.Security:

Package	Downloads
Stratara.Infrastructure Infrastructure glue for the Stratara framework — authorization decorators, configuration providers, and DI composition helpers that wire Mediator, Outbox, Identity, and EF Core into a hosted app.	87

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last Updated
3.1.1	0	6/1/2026
3.1.0	46	5/30/2026

### Fixed

- **`FileMasterKeyProvider` now rejects a master KEK that is not exactly 32 bytes at startup.**
The KEK is used directly as an AES-256-GCM key, which accepts only 16/24/32-byte keys. The
provider previously required merely *at least* 32 bytes, so a longer KEK (for example the
48-byte output of `openssl rand -base64 48`, a common HKDF master-key recipe) passed both
construction and the eager `FileKeyStoreStartupProbe`, then threw
`CryptographicException: Specified key is not a valid size for this algorithm` on the **first**
key creation at runtime — defeating the purpose of the boot-time probe. The provider now
validates the decoded length is exactly 32 bytes and fails fast at boot with an actionable
message (`Generate one with: openssl rand -base64 32`). A 32-byte KEK is unaffected.
- **`EnvelopeFileKeyStore` is now safe for multiple processes sharing one store file** (for
example several containers bind-mounting the same host directory). Previously a process only
read the store once at construction, so a data-encryption key created by another process after
startup was invisible (`GetDataEncryptionKeyAsync` returned `null`, breaking decryption), and
two processes creating keys concurrently could overwrite each other's keys or mint colliding
versions for the same scope. Reads now reload from disk on a cache miss (guarded by the file's
last-write time to avoid reload storms), and every mutation serializes through an exclusive
cross-process lock file and re-reads the latest on-disk state before writing. A networked file
system (NFS/SMB) remains unsupported — it guarantees neither atomic rename nor reliable advisory
locks.

### Added

- **`LogEvents.KeyManagement.KeyStoreReloaded` (112_006)** — debug-level event emitted when the
file key store reloads its state from disk to pick up keys written by another process.