Enigma.Cryptography.DataEncryption 1.1.0

.NET 10.0 This package targets .NET 10.0. The package is compatible with this framework or higher. .NET Standard 2.0 This package targets .NET Standard 2.0. The package is compatible with this framework or higher. 
dotnet add package Enigma.Cryptography.DataEncryption --version 1.1.0
                    


                    

                
NuGet\Install-Package Enigma.Cryptography.DataEncryption -Version 1.1.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Enigma.Cryptography.DataEncryption" Version="1.1.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="Enigma.Cryptography.DataEncryption" Version="1.1.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="Enigma.Cryptography.DataEncryption" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add Enigma.Cryptography.DataEncryption --version 1.1.0
                    


                    

                
#r "nuget: Enigma.Cryptography.DataEncryption, 1.1.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package Enigma.Cryptography.DataEncryption@1.1.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=Enigma.Cryptography.DataEncryption&version=1.1.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=Enigma.Cryptography.DataEncryption&version=1.1.0
                    


                            Install as a Cake Tool

Enigma.Cryptography.DataEncryption

A .NET library built on top of Enigma.Cryptography that provides stream-based encryption and decryption services.

All services share the same Stream-in / Stream-out API with optional IProgress<int> and CancellationToken support. Every encrypted blob starts with a binary header that embeds all parameters needed for decryption (cipher, KDF settings, nonce, etc.), so no out-of-band metadata is required.

Target frameworks

netstandard2.0, net10.0

Available services

Service Key derivation / exchange
Pbkdf2DataEncryptionService PBKDF2 (password as string)
Argon2DataEncryptionService Argon2id (password as byte[])
RsaDataEncryptionService RSA public/private key pair
MLKemDataEncryptionService ML-KEM-1024 (post-quantum KEM)

Ciphers

All services support the following symmetric ciphers operating in GCM mode:

Cipher enum value Identifier byte
Aes256Gcm 0x01
Twofish256Gcm 0x02
Serpent256Gcm 0x03
Camellia256Gcm 0x04

Pbkdf2DataEncryptionService

Password-based encryption using PBKDF2-HMAC-SHA256.

Encryption process

  1. Generate a random 16-byte salt and a random 12-byte nonce.
  2. Derive a 32-byte key with PBKDF2 from the password, salt, and iteration count.
  3. Write the header to the output stream.
  4. Encrypt the input stream into the output stream using the selected cipher in GCM mode.
  5. Clear the key from memory.

Decryption process

  1. Read the header from the input stream.
  2. Derive the 32-byte key with PBKDF2 using the password, salt, and iteration count read from the header.
  3. Decrypt the input stream into the output stream.

Usage

var service = new Pbkdf2DataEncryptionService();

// Encrypt
await service.EncryptAsync(inputStream, outputStream, Cipher.Aes256Gcm, "password", iterations: 100_000);

// Decrypt
await service.DecryptAsync(inputStream, outputStream, "password");

Binary format

Field Size (bytes) Description
Identifier 2 0xec 0xde — library magic bytes
Encryption type 1 0x01 — PBKDF2
Version 1 0x01
Cipher 1 Cipher identifier
Nonce 12 Random nonce for GCM
Salt 16 Random salt for PBKDF2
Iterations 4 (Int32) PBKDF2 iteration count
Encrypted data variable GCM-encrypted payload

Argon2DataEncryptionService

Password-based encryption using Argon2id.

Encryption process

  1. Generate a random 16-byte salt and a random 12-byte nonce.
  2. Derive a 32-byte key with Argon2id from the password, salt, and cost parameters.
  3. Write the header to the output stream.
  4. Encrypt the input stream into the output stream using the selected cipher in GCM mode.
  5. Clear the key from memory.

Decryption process

  1. Read the header from the input stream.
  2. Derive the 32-byte key with Argon2id using the password and cost parameters read from the header.
  3. Decrypt the input stream into the output stream.

Usage

var service = new Argon2DataEncryptionService();

// Encrypt
await service.EncryptAsync(inputStream, outputStream, Cipher.Aes256Gcm, passwordBytes);

// Decrypt
await service.DecryptAsync(inputStream, outputStream, passwordBytes);

Binary format

Field Size (bytes) Description
Identifier 2 0xec 0xde — library magic bytes
Encryption type 1 0x02 — Argon2id
Version 1 0x01
Cipher 1 Cipher identifier
Nonce 12 Random nonce for GCM
Salt 16 Random salt for Argon2id
Iterations 4 (Int32) Argon2id iteration count
Parallelism 4 (Int32) Argon2id parallelism factor
Memory pow2 4 (Int32) Argon2id memory cost (power of two)
Encrypted data variable GCM-encrypted payload

RsaDataEncryptionService

Hybrid encryption using an RSA public/private key pair to protect a random symmetric key.

Encryption process

  1. Generate a random 32-byte symmetric key and a random 12-byte nonce.
  2. Compute a 16-byte key fingerprint: first 16 bytes of SHA-256 over the public key's SubjectPublicKeyInfo DER encoding.
  3. Encrypt the symmetric key with the RSA public key.
  4. Write the header to the output stream.
  5. Encrypt the input stream into the output stream using the selected cipher in GCM mode.
  6. Clear the symmetric key from memory.

Decryption process

  1. Read the header from the input stream.
  2. Validate that the supplied private key matches the fingerprint stored in the header. Throws InvalidOperationException if they do not match.
  3. Decrypt the encrypted symmetric key with the RSA private key.
  4. Decrypt the input stream into the output stream.
  5. Clear the symmetric key from memory.

Usage

var rsa = new PublicKeyServiceFactory().CreateRsaService();
var keyPair = rsa.GenerateKeyPair(4096);

var service = new RsaDataEncryptionService();

// Encrypt
await service.EncryptAsync(inputStream, outputStream, Cipher.Aes256Gcm, keyPair.Public);

// Decrypt — throws InvalidOperationException if the wrong private key is supplied
await service.DecryptAsync(inputStream, outputStream, keyPair.Private);

Binary format

Field Size (bytes) Description
Identifier 2 0xec 0xde — library magic bytes
Encryption type 1 0x03 — RSA
Version 1 0x02
Cipher 1 Cipher identifier
Key fingerprint 16 First 16 bytes of SHA-256 of the RSA public key's SPKI DER encoding
Nonce 12 Random nonce for GCM
Encrypted key length 4 (Int32) Length of the RSA-encrypted symmetric key
Encrypted key variable RSA-encrypted symmetric key
Encrypted data variable GCM-encrypted payload

MLKemDataEncryptionService

Post-quantum hybrid encryption using ML-KEM-1024 (NIST FIPS 203) for key encapsulation, combined with a symmetric block cipher for data encryption.

Encryption process

  1. Generate a random 12-byte nonce.
  2. Compute a 16-byte key fingerprint: first 16 bytes of SHA-256 over the public key's encoded bytes.
  3. Encapsulate a shared secret from the ML-KEM-1024 public key, producing an encapsulation and a 32-byte secret.
  4. Write the header to the output stream.
  5. Encrypt the input stream into the output stream using the selected cipher in GCM mode with the shared secret as the key.
  6. Clear the secret from memory.

Decryption process

  1. Read the header from the input stream.
  2. Validate that the supplied private key matches the fingerprint stored in the header. Throws InvalidOperationException if they do not match.
  3. Decapsulate the shared secret from the encapsulation using the ML-KEM-1024 private key.
  4. Decrypt the input stream into the output stream.
  5. Clear the secret from memory.

Usage

var mlKem = new MLKemServiceFactory().CreateKem1024();
var keyPair = mlKem.GenerateKeyPair();

var service = new MLKemDataEncryptionService();

// Encrypt
await service.EncryptAsync(inputStream, outputStream, Cipher.Aes256Gcm, keyPair.Public);

// Decrypt — throws InvalidOperationException if the wrong private key is supplied
await service.DecryptAsync(inputStream, outputStream, keyPair.Private);

Binary format

Field Size (bytes) Description
Identifier 2 0xec 0xde — library magic bytes
Encryption type 1 0x04 — ML-KEM
Version 1 0x02
Cipher 1 Cipher identifier
Key fingerprint 16 First 16 bytes of SHA-256 of the ML-KEM public key's encoded bytes
Nonce 12 Random nonce for GCM
Encapsulation length 4 (Int32) Length of the ML-KEM encapsulation
Encapsulation variable ML-KEM encapsulation
Encrypted data variable GCM-encrypted payload
Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
.NET Core netcoreapp2.0 was computed.  netcoreapp2.1 was computed.  netcoreapp2.2 was computed.  netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.0 is compatible.  netstandard2.1 was computed. 
.NET Framework net461 was computed.  net462 was computed.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen40 was computed.  tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.1.0 82 3/8/2026
1.0.4 301 8/5/2025
1.0.3 197 7/7/2025
1.0.2 166 6/30/2025
1.0.1 202 4/25/2025
1.0.0 219 4/24/2025