ProMilesV5.SharedEncryption 0.1.5 

Install-Package ProMilesV5.SharedEncryption -Version 0.1.5
dotnet add package ProMilesV5.SharedEncryption --version 0.1.5
<PackageReference Include="ProMilesV5.SharedEncryption" Version="0.1.5" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
paket add ProMilesV5.SharedEncryption --version 0.1.5
The NuGet Team does not provide support for this client. Please contact its maintainers for support. 
#r "nuget: ProMilesV5.SharedEncryption, 0.1.5"
#r directive can be used in F# Interactive, C# scripting and .NET Interactive. Copy this into the interactive tool or source code of the script to reference the package. 
// Install ProMilesV5.SharedEncryption as a Cake Addin
#addin nuget:?package=ProMilesV5.SharedEncryption&version=0.1.5

// Install ProMilesV5.SharedEncryption as a Cake Tool
#tool nuget:?package=ProMilesV5.SharedEncryption&version=0.1.5
The NuGet Team does not provide support for this client. Please contact its maintainers for support.

ProMilesV5.SharedEncryption

C# Class Library (.NET 8) for field-level AES-256-GCM encryption/decryption, published as a NuGet package.

Purpose

Consumers call Encrypt/Decrypt on IEncryptionService, and optionally EncryptSearchableAsync / ComputeSearchHash for a deterministic search token (HMAC blind index). All crypto and key management are internal. Key version caching and rotation are handled inside the library.

Configuration

Read from environment variables only — no appsettings, no consumer configuration.

Variable Description
KeyVaultUri Azure Key Vault URI
KeyName Key name in Key Vault
ManagedIdentityClientId User-Assigned Managed Identity client ID (optional)
HmacSecretKey Required if KeyVaultUri is set: 32-byte secret (Base64) for HMAC-SHA256 blind indexing — separate from the AES data key and the Key Vault RSA key

When KeyVaultUri is absent, the library uses a DEV ONLY hardcoded fallback AES key and a DEV ONLY HMAC key. See Dev Fallback below.

Authentication

DefaultAzureCredential → User-Assigned Managed Identity.

Ciphertext Format

Base64 inner payload (then the whole payload is Base64-encoded again for the API string):

Mode Segments
Key Vault {keyVersion}:{wrappedKey}:{iv}:{ciphertext}wrappedKey is the RSA-OAEP–wrapped 32-byte AES-256 DEK; iv is 12 bytes (Base64); ciphertext is ciphertext + 16-byte GCM tag (Base64).
Dev (keyVersion = dev) {keyVersion}:{iv}:{ciphertext} (no wrapped key).

The Key Vault named key must be RSA with wrap/unwrap permissions (RSA-OAEP). Ciphertext produced with the dev fallback (keyVersion = dev) is not affected—only Key Vault–backed ciphertext from versions prior to the RSA wrap implementation (no wrappedKey segment) must be re-encrypted.

Public API

  • IEncryptionService: EncryptAsync, DecryptAsync, EncryptSearchableAsync (ciphertext + search hash), ComputeSearchHash (HMAC-SHA256, Base64, 44 chars for non-empty input).
  • No Key Vault types exposed publicly.

Build

dotnet build

Test

dotnet test

Pack & Push

# Pack (output to ./nupkgs)
dotnet pack -c Release -o ./nupkgs

# Push to NuGet.org
dotnet nuget push ./nupkgs/ProMilesV5.SharedEncryption.*.nupkg --api-key YOUR_API_KEY --source https://api.nuget.org/v3/index.json

# Push to Azure Artifacts (replace feed URL and PAT)
dotnet nuget push ./nupkgs/ProMilesV5.SharedEncryption.*.nupkg --api-key YOUR_PAT --source https://pkgs.dev.azure.com/ORG/PROJECT/_packaging/FEED/nuget/v3/index.json

Usage (after package publish)

<PackageReference Include="ProMilesV5.SharedEncryption" Version="0.1.5" />

// Register and use IEncryptionService
var encrypted = await encryptionService.EncryptAsync(plaintext);
var (cipher, searchHash) = await encryptionService.EncryptSearchableAsync(plaintext);
var queryHash = encryptionService.ComputeSearchHash(searchValue);
var decrypted = await encryptionService.DecryptAsync(encrypted);

Key Dependencies

  • Azure.Security.KeyVault.Keys
  • Azure.Identity
  • System.Security.Cryptography (built-in)

Deployment

Environment variables are injected as Kubernetes Secrets by DevOps/IT. Consuming developers do not set or manage these values.

Variable Set By
KeyVaultUri DevOps (K8s Secret)
KeyName DevOps (K8s Secret)
HmacSecretKey DevOps (K8s Secret)
ManagedIdentityClientId DevOps (K8s Secret)

Dev Fallback

DEV ONLY — When KeyVaultUri is not set, the library uses a baked-in 32-byte AES-256 key and a separate baked-in 32-byte HMAC key for blind indexes. Never use in production.

  • keyVersion sentinel: "dev" — identifies blobs encrypted with the dev key
  • Production safeguard: When Key Vault is configured, decrypting "dev"-versioned blobs throws InvalidOperationException ("Dev-encrypted data cannot be decrypted in a Key Vault environment.") — prevents dev data leaking into production

Development

  • Target: .NET 8.0
  • Nullable and implicit usings enabled

License

© 2026 ProMiles Online. All rights reserved. Internal use only.

NuGet packages

This package is not used by any NuGet packages.

Version Downloads Last updated
0.1.5 0 5/18/2026
0.1.4 0 5/14/2026
0.1.3 0 5/14/2026
0.1.2 0 3/19/2026
0.1.0 0 3/19/2026