RepletoryLib.Security.Encryption 1.0.0

.NET 10.0 This package targets .NET 10.0. The package is compatible with this framework or higher. 
dotnet add package RepletoryLib.Security.Encryption --version 1.0.0
                    


                    

                
NuGet\Install-Package RepletoryLib.Security.Encryption -Version 1.0.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="RepletoryLib.Security.Encryption" Version="1.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="RepletoryLib.Security.Encryption" Version="1.0.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="RepletoryLib.Security.Encryption" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add RepletoryLib.Security.Encryption --version 1.0.0
                    


                    

                
#r "nuget: RepletoryLib.Security.Encryption, 1.0.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package RepletoryLib.Security.Encryption@1.0.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=RepletoryLib.Security.Encryption&version=1.0.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=RepletoryLib.Security.Encryption&version=1.0.0
                    


                            Install as a Cake Tool

RepletoryLib.Security.Encryption

AES and RSA encryption, cryptographic hashing, and data masking services.

Part of the RepletoryLib ecosystem -- standalone, reusable .NET 10 libraries with zero business logic.

NuGet .NET 10 License: MIT

Overview

RepletoryLib.Security.Encryption provides a comprehensive set of cryptographic services for .NET applications. It wraps the complexity of symmetric encryption (AES-256-CBC), asymmetric encryption (RSA-OAEP), password hashing (BCrypt, SHA-256, SHA-512), HMAC signing, and data masking behind clean, testable interfaces.

All services are registered as singletons through a single DI extension method and configured via appsettings.json.

Key Features

  • AES-256-CBC encryption -- Symmetric encryption/decryption with PKCS7 padding
  • RSA-OAEP encryption -- Asymmetric encryption with SHA-256 padding and key pair generation
  • Password hashing -- BCrypt (adaptive), SHA-256, and SHA-512
  • HMAC-SHA256 -- Message authentication codes for data integrity
  • Secure token generation -- Cryptographically random URL-safe tokens
  • Data masking -- Email, phone, ID number, credit card, and custom masking patterns

Installation

dotnet add package RepletoryLib.Security.Encryption

Or add to your .csproj:

<PackageReference Include="RepletoryLib.Security.Encryption" Version="1.0.0" />

Note: RepletoryLib packages are published to a local BaGet feed. See the main repository README for feed configuration.

Dependencies

Package Type
RepletoryLib.Common RepletoryLib
BCrypt.Net-Next NuGet (4.0.3)

Quick Start

Register encryption services in Program.cs:

using RepletoryLib.Security.Encryption;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddRepletorySecurity(builder.Configuration);

Add configuration to appsettings.json:

{
  "Encryption": {
    "AesKey": "your-32-character-aes-256-key!!",
    "AesIv": "your-16-char-iv!"
  }
}

Configuration

EncryptionOptions

Property Type Default Description
AesKey string "" AES-256 key (must be exactly 32 characters)
AesIv string "" AES initialization vector (must be exactly 16 characters)
RsaPublicKey string "" PEM-encoded RSA public key (optional, for RSA operations)
RsaPrivateKey string "" PEM-encoded RSA private key (optional, for RSA operations)
HmacSecret string "" Secret key for HMAC-SHA256 operations

Section name: "Encryption"

Usage Examples

AES Encryption and Decryption

using RepletoryLib.Security.Encryption.Interfaces;

public class UserService
{
    private readonly IEncryptionService _encryption;

    public UserService(IEncryptionService encryption) => _encryption = encryption;

    public string ProtectSensitiveData(string idNumber)
    {
        // Encrypt -- returns Base64-encoded ciphertext
        string encrypted = _encryption.AesEncrypt(idNumber);

        // Decrypt -- returns original plaintext
        string decrypted = _encryption.AesDecrypt(encrypted);

        return encrypted;
    }
}

RSA Encryption with Key Generation

using RepletoryLib.Security.Encryption.Interfaces;

public class KeyExchangeService
{
    private readonly IEncryptionService _encryption;

    public KeyExchangeService(IEncryptionService encryption) => _encryption = encryption;

    public (string PublicKey, string PrivateKey) GenerateKeys()
    {
        return _encryption.GenerateRsaKeyPair();
    }

    public string EncryptForRecipient(string message)
    {
        return _encryption.RsaEncrypt(message);
    }

    public string DecryptFromSender(string cipherText)
    {
        return _encryption.RsaDecrypt(cipherText);
    }
}

Password Hashing and Verification

using RepletoryLib.Security.Encryption.Interfaces;
using RepletoryLib.Security.Encryption.Models;

public class AuthService
{
    private readonly IHashingService _hashing;

    public AuthService(IHashingService hashing) => _hashing = hashing;

    public string HashPassword(string password)
    {
        // BCrypt -- adaptive, recommended for passwords
        return _hashing.Hash(password, HashAlgorithmType.BCrypt);
    }

    public bool VerifyPassword(string password, string hash)
    {
        return _hashing.Verify(password, hash, HashAlgorithmType.BCrypt);
    }

    public string HashForStorage(string value)
    {
        // SHA-256 -- fast, suitable for non-password data
        return _hashing.Sha256(value);
    }

    public string GenerateApiKey()
    {
        // Cryptographically secure URL-safe token
        return _hashing.GenerateSecureToken(48);
    }
}

HMAC Signing

using RepletoryLib.Security.Encryption.Interfaces;

public class WebhookService
{
    private readonly IHashingService _hashing;

    public WebhookService(IHashingService hashing) => _hashing = hashing;

    public string SignPayload(string payload, string secret)
    {
        return _hashing.HmacSha256(payload, secret);
    }

    public bool VerifyWebhook(string payload, string signature, string secret)
    {
        var expected = _hashing.HmacSha256(payload, secret);
        return string.Equals(expected, signature, StringComparison.OrdinalIgnoreCase);
    }
}

Data Masking

using RepletoryLib.Security.Encryption.Interfaces;

public class AuditLogger
{
    private readonly IDataMaskingService _masking;

    public AuditLogger(IDataMaskingService masking) => _masking = masking;

    public void LogSensitiveOperation(string email, string phone, string idNumber, string cardNumber)
    {
        var maskedEmail = _masking.MaskEmail(email);         // "j***@example.com"
        var maskedPhone = _masking.MaskPhone(phone);         // "+27***4567"
        var maskedId = _masking.MaskIdNumber(idNumber);      // "**********567"
        var maskedCard = _masking.MaskCreditCard(cardNumber); // "************4242"

        // Custom masking -- show first 3 and last 2 characters
        var maskedCustom = _masking.MaskCustom("ABC123XYZ", 3, 2); // "ABC****YZ"
    }
}

API Reference

IEncryptionService

Method Returns Description
AesEncrypt(plainText) string AES-256-CBC encrypt, returns Base64
AesDecrypt(cipherText) string AES-256-CBC decrypt from Base64
RsaEncrypt(plainText) string RSA-OAEP encrypt, returns Base64
RsaDecrypt(cipherText) string RSA-OAEP decrypt from Base64
GenerateRsaKeyPair() (string PublicKey, string PrivateKey) Generates 2048-bit RSA key pair

IHashingService

Method Returns Description
Hash(value, algorithm) string Hash using specified algorithm
Verify(value, hash, algorithm) bool Verify value against hash
GenerateSecureToken(length) string URL-safe Base64 random token
Sha256(value) string SHA-256 hash as lowercase hex
HmacSha256(value, secret) string HMAC-SHA256 as lowercase hex

IDataMaskingService

Method Returns Description
MaskEmail(email) string "j***@example.com"
MaskPhone(phone) string "+27***4567"
MaskIdNumber(idNumber) string "**********567"
MaskCreditCard(cardNumber) string "************4242"
MaskCustom(value, visibleStart, visibleEnd, maskChar) string Custom pattern with configurable visibility

HashAlgorithmType

Value Description
BCrypt Adaptive password hashing (recommended for passwords)
SHA256 SHA-256 cryptographic hash
SHA512 SHA-512 cryptographic hash

Integration with Other RepletoryLib Packages

Package Relationship
RepletoryLib.Common Direct dependency
RepletoryLib.Data.Interceptors Uses encryption for [AesEncrypt], [RsaEncrypt], [HashStore] attributes
RepletoryLib.Auth.Jwt Complements JWT with additional token hashing
RepletoryLib.Security.Secrets Use together -- Secrets manages keys, Encryption uses them

Testing

[Fact]
public void AesEncrypt_and_decrypt_roundtrip()
{
    var options = Options.Create(new EncryptionOptions
    {
        AesKey = "12345678901234567890123456789012",
        AesIv = "1234567890123456"
    });
    var service = new EncryptionService(options);

    var encrypted = service.AesEncrypt("sensitive data");
    var decrypted = service.AesDecrypt(encrypted);

    decrypted.Should().Be("sensitive data");
    encrypted.Should().NotBe("sensitive data");
}

[Fact]
public void BCrypt_hash_and_verify()
{
    var service = new HashingService();

    var hash = service.Hash("password123", HashAlgorithmType.BCrypt);
    var isValid = service.Verify("password123", hash, HashAlgorithmType.BCrypt);

    isValid.Should().BeTrue();
}

Troubleshooting

Issue Solution
CryptographicException on AES operations Verify AesKey is exactly 32 characters and AesIv is exactly 16 characters
RSA operations fail Ensure RsaPublicKey and RsaPrivateKey are valid PEM-encoded keys, or generate a pair with GenerateRsaKeyPair()
BCrypt hash is slow By design -- BCrypt is intentionally slow for password security. Use SHA-256 for non-password hashing
HmacSha256 returns different results Ensure the same secret is used for signing and verification

License

This project is licensed under the MIT License.

Copyright (c) 2024-2026 Repletory.

For complete documentation, infrastructure setup, and configuration reference, see the RepletoryLib main repository.

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (1)

Showing the top 1 NuGet packages that depend on RepletoryLib.Security.Encryption:

Package Downloads
RepletoryLib.Data.Interceptors

Attribute-driven EF Core interceptors for encryption, masking, validation, and normalization

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.0.0 86 3/2/2026