Stratara.Security
3.1.0
See the version list below for details.
dotnet add package Stratara.Security --version 3.1.0
NuGet\Install-Package Stratara.Security -Version 3.1.0
<PackageReference Include="Stratara.Security" Version="3.1.0" />
<PackageVersion Include="Stratara.Security" Version="3.1.0" />
<PackageReference Include="Stratara.Security" />
paket add Stratara.Security --version 3.1.0
#r "nuget: Stratara.Security, 3.1.0"
#:package Stratara.Security@3.1.0
#addin nuget:?package=Stratara.Security&version=3.1.0
#tool nuget:?package=Stratara.Security&version=3.1.0
Stratara.Security
License: FSL-1.1-MIT (Functional Source License — source-available; converts to MIT after 2 years). Not OSI-approved OSS.
Dependency-light key store and envelope encryption for Stratara. Provides a production
IKeyStore with KEK-wrapped, versioned per-scope data-encryption keys (rotation, revoke, and
crypto-shred), a file-backed master-key provider, and an AES-GCM blob encryptor — referencing only
Stratara.Abstractions + BCL crypto. No EF Core, RabbitMQ, Redis, or cloud SDKs in the graph.
Quick start
// appsettings / secrets:
// "Stratara": { "KeyStore": { "MasterKeyBase64": "<openssl rand -base64 48>", "StorePath": "/var/run/secrets/keystore.json" } }
builder.Services.AddStrataraFileKeyStore(builder.Configuration);
// Encrypt a blob bound to a tenant scope + purpose:
var scope = new KeyScope(DataSensitivityLevel.TenantScoped, tenantId: "acme-corp");
await using var encrypted = await encryptor.EncryptAsync(plainStream, scope, purpose: "attachment");
await using var plain = await encryptor.DecryptAsync(encrypted, scope);
What's inside
EnvelopeFileKeyStore(IKeyStore) — random 32-byte DEK per scope/version, KEK-wrapped with AES-256-GCM (wrap AAD bound to the key id, so a wrapped DEK can't be moved to another scope). The store file holds only wrapped DEKs + metadata, never plaintext.RotateAsyncadds a version;RevokeAsyncmakes one version undecryptable;EraseScopeAsyncdeletes all versions for a scope (GDPR Art. 17 crypto-shred). DEKs are zeroed after use; the store file is written0600on Unix.FileMasterKeyProvider(IMasterKeyProvider) — KEK fromMasterKeyBase64, validated ≥32 bytes at startup. The custody seam: swap for an HSM / KMS / vault provider later without touching the stored data.AesGcmSecureBlobEncryptor(ISecureBlobEncryptor) — AES-GCM stream encryption with apurpose-bound AAD ({tenant}||{purpose}) and a versioned, self-describing format (v2 leading byte). Reads legacy streams without the version byte; setStratara:BlobEncryption:LegacyBlobsCarryPurposeto match the legacy layout.DummyKeyStore— Development-only deterministic fallback (throws outsideDevelopment).
Key id schema
{level}:{tenant}:{user}:v{N} — e.g. TenantScoped:acme-corp::v1. GetOrCreateCurrentKeyAsync
returns the highest non-revoked version (creating v1 if none); RotateAsync creates v{N+1}.
Dependencies
Stratara.AbstractionsStratara.DiagnosticsMicrosoft.Extensions.{Configuration,DependencyInjection,Hosting,Logging}.AbstractionsMicrosoft.Extensions.Options(+Options.ConfigurationExtensions)
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net10.0
- Microsoft.Extensions.Configuration.Abstractions (>= 10.0.8)
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 10.0.8)
- Microsoft.Extensions.Hosting.Abstractions (>= 10.0.8)
- Microsoft.Extensions.Logging.Abstractions (>= 10.0.8)
- Microsoft.Extensions.Options (>= 10.0.8)
- Microsoft.Extensions.Options.ConfigurationExtensions (>= 10.0.8)
- Stratara.Abstractions (>= 3.1.0)
- Stratara.Diagnostics (>= 3.1.0)
NuGet packages (1)
Showing the top 1 NuGet packages that depend on Stratara.Security:
| Package | Downloads |
|---|---|
|
Stratara.Infrastructure
Infrastructure glue for the Stratara framework — authorization decorators, configuration providers, and DI composition helpers that wire Mediator, Outbox, Identity, and EF Core into a hosted app. |
GitHub repositories
This package is not used by any popular GitHub repositories.
**Breaking release.** The `IKeyStore` and `ISecureBlobEncryptor` contracts changed shape, a new
dependency-light `Stratara.Security` package now owns the production key store and envelope
encryption, and a new vendor-neutral `Stratara.Validation` package adds request validation as a
`Stratara.Mediator` pipeline behavior. Consumers must recompile and adapt call sites; data
encrypted under the previous HKDF-style key model is **not** binary-compatible and needs a
re-encrypt pass on its own schedule.
### Added
- **`Stratara.Validation` — vendor-neutral request validation.** A new package providing a
mediator pipeline behavior that runs `IValidator<T>` implementations before the handler and
throws an aggregated `StrataraValidationException` on failure. Register with
`AddStrataraValidation()` (outermost behavior) and `AddValidatorsFromAssemblyContaining<T>()`.
Only `ValidationSeverity.Error` blocks the request; `Warning`/`Info` failures pass through and
are logged. The package has no FluentValidation dependency — the contract is intentionally
FluentValidation-shape-compatible so an optional adapter can be added later.
- **Validation contracts in `Stratara.Abstractions`** (namespace `Stratara.Abstractions.Validation`):
`IValidator<T>`, `ValidationResult`, `ValidationFailure`, `ValidationSeverity`, and
`StrataraValidationException`. Declaring the exception in `Stratara.Abstractions` lets a
consumer's global exception handler map validation failures to its own error model (e.g.
RFC-7807 ProblemDetails) without referencing the behavior package.
- **`Stratara.Security` — production key store + envelope encryption (dependency-light).** Adds
`EnvelopeFileKeyStore`, a file-backed `IKeyStore` storing **KEK-wrapped, versioned per-scope
data-encryption keys** (rotation, single-version revoke, and whole-scope crypto-shred), plus a
`FileMasterKeyProvider` (`IMasterKeyProvider`, the KEK custody seam), an AES-GCM
`ISecureBlobEncryptor`, and the Development-only `DummyKeyStore`. Register with
`AddStrataraFileKeyStore(configuration)`. The package references only `Stratara.Abstractions` +
BCL crypto + `Microsoft.Extensions.*` abstractions — no EF Core, RabbitMQ, Redis, or cloud SDKs —
so lean consumers can encrypt without pulling in `Stratara.Infrastructure`.
- **New security contracts in `Stratara.Abstractions.Security`:** `KeyScope`, `KeyMaterial`, and
`IMasterKeyProvider`.
### Changed
- **BREAKING — `IKeyStore`.** Replaced `EnsureKeyAsync(level, Guid? tenantId, Guid? userId)` with
`GetOrCreateCurrentKeyAsync(KeyScope)` returning `KeyMaterial` (key id + bytes in one call), and
added `RotateAsync(KeyScope)` and `EraseScopeAsync(KeyScope)`. `RevokeAsync(string keyId)` now
performs a real crypto-shred (the production store no longer treats it as a no-op). Scope
identifiers are `string?` (carrying both slugs and `Guid.ToString()` values) rather than `Guid?`.
- **BREAKING — `ISecureBlobEncryptor`.** `EncryptAsync`/`DecryptAsync` now take a `KeyScope` and a
`purpose` instead of a bare `Guid tenantId`. The encrypted stream gains a leading version byte
(v2) and a `purpose` field; legacy streams without the version byte remain readable (configurable
via `Stratara.Security` options).
- The AES-GCM encryption factory, blob encryptor, and dev key store moved out of
`Stratara.Infrastructure` into `Stratara.Security`; `AddSecurity()` now delegates to it. The
field/JSON `[EncryptData]` path (`ISecureJsonSerializer`) stays in `Stratara.Infrastructure`.
This brings the lockstep family to **22 packable packages**.