Stratara.Security 3.1.5

There is a newer version of this package available.
See the version list below for details.
dotnet add package Stratara.Security --version 3.1.5
                    
NuGet\Install-Package Stratara.Security -Version 3.1.5
                    
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Stratara.Security" Version="3.1.5" />
                    
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="Stratara.Security" Version="3.1.5" />
                    
Directory.Packages.props
<PackageReference Include="Stratara.Security" />
                    
Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add Stratara.Security --version 3.1.5
                    
#r "nuget: Stratara.Security, 3.1.5"
                    
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package Stratara.Security@3.1.5
                    
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=Stratara.Security&version=3.1.5
                    
Install as a Cake Addin
#tool nuget:?package=Stratara.Security&version=3.1.5
                    
Install as a Cake Tool

Stratara.Security

License: FSL-1.1-MIT (Functional Source License — source-available; converts to MIT after 2 years). Not OSI-approved OSS.

Dependency-light key store and envelope encryption for Stratara. Provides a production IKeyStore with KEK-wrapped, versioned per-scope data-encryption keys (rotation, revoke, and crypto-shred), a file-backed master-key provider, and an AES-GCM blob encryptor — referencing only Stratara.Abstractions + BCL crypto. No EF Core, RabbitMQ, Redis, or cloud SDKs in the graph.

Quick start

// appsettings / secrets:
// "Stratara": { "KeyStore": { "MasterKeyBase64": "<openssl rand -base64 32>", "StorePath": "/var/run/secrets/keystore.json" } }

builder.Services.AddStrataraFileKeyStore(builder.Configuration);

// Encrypt a blob bound to a tenant scope + purpose:
var scope = new KeyScope(DataSensitivityLevel.TenantScoped, tenantId: "acme-corp");
await using var encrypted = await encryptor.EncryptAsync(plainStream, scope, purpose: "attachment");
await using var plain = await encryptor.DecryptAsync(encrypted, scope);

What's inside

  • EnvelopeFileKeyStore (IKeyStore) — random 32-byte DEK per scope/version, KEK-wrapped with AES-256-GCM (wrap AAD bound to the key id, so a wrapped DEK can't be moved to another scope). The store file holds only wrapped DEKs + metadata, never plaintext. RotateAsync adds a version; RevokeAsync makes one version undecryptable; EraseScopeAsync deletes all versions for a scope (GDPR Art. 17 crypto-shred). DEKs are zeroed after use; the store file is written 0600 on Unix.
  • FileMasterKeyProvider (IMasterKeyProvider) — KEK from MasterKeyBase64, validated to decode to exactly 32 bytes (AES-256) at startup. The custody seam: swap for an HSM / KMS / vault provider later without touching the stored data.
  • AesGcmSecureBlobEncryptor (ISecureBlobEncryptor) — AES-GCM stream encryption with a purpose-bound AAD ({tenant}||{purpose}) and a versioned, self-describing format (v2 leading byte). Reads legacy streams without the version byte; set Stratara:BlobEncryption:LegacyBlobsCarryPurpose to match the legacy layout.
  • DummyKeyStore — Development-only deterministic fallback (throws outside Development).

Key id schema

{level}:{tenant}:{user}:v{N} — e.g. TenantScoped:acme-corp::v1. GetOrCreateCurrentKeyAsync returns the highest non-revoked version (creating v1 if none); RotateAsync creates v{N+1}.

Dependencies

  • Stratara.Abstractions
  • Stratara.Diagnostics
  • Microsoft.Extensions.{Configuration,DependencyInjection,Hosting,Logging}.Abstractions
  • Microsoft.Extensions.Options (+ Options.ConfigurationExtensions)
Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (2)

Showing the top 2 NuGet packages that depend on Stratara.Security:

Package Downloads
Stratara.Infrastructure

Infrastructure glue for the Stratara framework — authorization decorators, configuration providers, and DI composition helpers that wire Mediator, Outbox, Identity, and EF Core into a hosted app.

Stratara.Testing

Test doubles and assertion helpers for applications built on the Stratara framework — an in-memory IKeyStore, an in-memory IMessageBus, a preset ISessionContextProvider, deterministic tenant ids, and a given/when/then aggregate rehydration harness. Drop the Postgres/RabbitMQ testcontainers for unit tests.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
3.1.7 51 7/1/2026
3.1.6 368 6/22/2026
3.1.5 138 6/22/2026
3.1.4 879 6/15/2026
3.1.3 146 6/10/2026
3.1.2 150 6/5/2026
3.1.1 862 6/1/2026
3.1.0 123 5/30/2026

### Added

- **Configurable snapshot strategy** (`Stratara.Abstractions`, `Stratara.Infrastructure`) — the
 snapshot cadence is no longer hard-coded. A new `Stratara.Abstractions.EventSourcing.ISnapshotStrategy`
 decides, per stream, whether the event-sourcing runtime should write a snapshot:
 `bool ShouldSnapshot(Type aggregateType, long currentVersion, long lastSnapshotVersion)`.
 `AddEventSourcing()` registers the default `VersionThresholdSnapshotStrategy` (snapshot every 50
 versions — identical to the previous behaviour) via `TryAddSingleton`, so existing consumers see no
 change. To take over the policy, register your own singleton `ISnapshotStrategy` (it overrides the
 default whether registered before or after `AddEventSourcing()`): vary the threshold per aggregate
 type, construct `new VersionThresholdSnapshotStrategy(threshold)` for a different uniform cadence, or
 register `NoSnapshotStrategy` to disable snapshotting entirely. This replaces the previously
 hard-coded `UseSnapshots`/`SnapshotRange` constants in the default snapshot service, which were not
 actually configurable despite the documentation implying they were.
- **`AddDomainEventTypesFromAssemblyContaining<T>()`** (`Stratara.Abstractions`) — registers *only* the
 domain event types consumed by an assembly's aggregate `Apply(TEvent)` methods in the trusted-type
 resolver, without registering the aggregate types themselves and without pulling any projection / saga
 / command-handler classes into DI. Use it in a host that only needs to deserialize event payloads off
 the message bus or event stream — typically a dedicated projection or saga worker — but must not wire
 the handler classes (and their runtime dependencies) that `AddProjectionsFromAssemblyContaining<T>`
 would register. Complements the existing `AddAggregatesFromAssemblyContaining<T>` (which additionally
 registers the aggregate types) and `AddTrustedType<T>` (single type).