PostQuantum.FileEncryption.Extensions.DependencyInjection
1.6.0
Requires NuGet 6.0.0 or higher.
dotnet add package PostQuantum.FileEncryption.Extensions.DependencyInjection --version 1.6.0
NuGet\Install-Package PostQuantum.FileEncryption.Extensions.DependencyInjection -Version 1.6.0
<PackageReference Include="PostQuantum.FileEncryption.Extensions.DependencyInjection" Version="1.6.0" />
<PackageVersion Include="PostQuantum.FileEncryption.Extensions.DependencyInjection" Version="1.6.0" />
<PackageReference Include="PostQuantum.FileEncryption.Extensions.DependencyInjection" />
paket add PostQuantum.FileEncryption.Extensions.DependencyInjection --version 1.6.0
#r "nuget: PostQuantum.FileEncryption.Extensions.DependencyInjection, 1.6.0"
#:package PostQuantum.FileEncryption.Extensions.DependencyInjection@1.6.0
#addin nuget:?package=PostQuantum.FileEncryption.Extensions.DependencyInjection&version=1.6.0
#tool nuget:?package=PostQuantum.FileEncryption.Extensions.DependencyInjection&version=1.6.0
PostQuantum.FileEncryption.Extensions.DependencyInjection
Microsoft.Extensions.DependencyInjection integration for
PostQuantum.FileEncryption and
PostQuantum.FileEncryption.Hybrid.
One call registers the encryptor and decryptor services in any host that uses the standard
.NET service container — ASP.NET Core, Worker Services, console hosts with
Microsoft.Extensions.Hosting.
dotnet add package PostQuantum.FileEncryption.Extensions.DependencyInjection
Usage
Passphrase encryption only (registers PqFileEncryptor + PqFileDecryptor):
builder.Services.AddPqFileEncryption();
Passphrase and X25519 + ML-KEM-768 hybrid recipient encryption (additionally registers
PqHybridEncryptor + PqHybridDecryptor):
builder.Services.AddPqHybridFileEncryption();
Detached Ed25519 + ML-DSA-65 signing and verification (registers PqSigner + PqVerifier;
key material stays in your own key storage and is passed per call):
builder.Services.AddPqSigning();
Then inject and use:
public sealed class ArchiveService(PqFileEncryptor encryptor, PqFileDecryptor decryptor)
{
public Task ProtectAsync(string path, string passphrase, CancellationToken ct) =>
encryptor.EncryptFileAsync(path, path + ".pqfe", passphrase, cancellationToken: ct);
}
Options
Pass a PqEncryptionOptions to tune encryption (KDF choice, work factors, chunk size).
Omitting it gives you the library's secure defaults:
builder.Services.AddPqFileEncryption(PqEncryptionOptions.Argon2id);
Options never affect decryption — the decryptor reads every parameter from the authenticated container header, so a service registered with one set of options decrypts files produced with any other.
Decrypting untrusted input
If the host decrypts containers it did not produce (uploads, shared storage), register with decrypt-time resource ceilings — a hostile header can otherwise legally demand gibibytes of KDF memory before anything authenticates:
builder.Services.AddPqFileEncryption(null, PqDecryptionLimits.Untrusted);
// or with both tuned:
builder.Services.AddPqHybridFileEncryption(PqEncryptionOptions.Argon2id, PqDecryptionLimits.Untrusted);
A header above a limit is rejected with PqFormatException before any allocation or
key-derivation work. Files you encrypted yourself with default options always open under
PqDecryptionLimits.Untrusted.
Behavior
- Singletons. The encryptor/decryptor types are thread-safe and hold no per-operation state; one instance serves the whole host.
TryAddsemantics. If your application already registered its own instance of any of these types, your registration wins.- Lockstep versioning. This package always pins
PostQuantum.FileEncryption,PostQuantum.FileEncryption.Hybrid, andPostQuantum.FileEncryption.Signingat its own version.
Links
- Repository & full documentation
- File format specification (FROZEN .pqfe v2)
- Known gaps — the honest ledger
To God be the glory — 1 Corinthians 10:31.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net10.0
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 10.0.9)
- PostQuantum.FileEncryption.Hybrid (>= 1.6.0)
- PostQuantum.FileEncryption.Signing (>= 1.6.0)
-
net8.0
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 10.0.9)
- PostQuantum.FileEncryption.Hybrid (>= 1.6.0)
- PostQuantum.FileEncryption.Signing (>= 1.6.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
1.5.0 — AddPqFileEncryption and AddPqHybridFileEncryption gain overloads taking a PqDecryptionLimits, so hosts that decrypt containers from untrusted sources can register capped decryptors in one line. Tracks the family in lockstep; no change to the .pqfe v2 container format, which remains FROZEN for the 1.x line. See CHANGELOG.md.