Proteos.Encryption.GoogleCloudKms 0.1.0-preview.3

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher.
This is a prerelease version of Proteos.Encryption.GoogleCloudKms. 
dotnet add package Proteos.Encryption.GoogleCloudKms --version 0.1.0-preview.3
                    


                    

                
NuGet\Install-Package Proteos.Encryption.GoogleCloudKms -Version 0.1.0-preview.3
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Proteos.Encryption.GoogleCloudKms" Version="0.1.0-preview.3" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="Proteos.Encryption.GoogleCloudKms" Version="0.1.0-preview.3" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="Proteos.Encryption.GoogleCloudKms" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add Proteos.Encryption.GoogleCloudKms --version 0.1.0-preview.3
                    


                    

                
#r "nuget: Proteos.Encryption.GoogleCloudKms, 0.1.0-preview.3"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package Proteos.Encryption.GoogleCloudKms@0.1.0-preview.3
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=Proteos.Encryption.GoogleCloudKms&version=0.1.0-preview.3&prerelease
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=Proteos.Encryption.GoogleCloudKms&version=0.1.0-preview.3&prerelease
                    


                            Install as a Cake Tool

Proteos — Application Layer Encryption for .NET

Encrypt sensitive entity fields in the application, before they reach the database, blob storage or any cloud system. A database, backup or storage leak then exposes only ciphertext — not your customers' data.

Proteos plugs into Entity Framework Core: you mark which properties are sensitive, and encryption, decryption and exact-match search happen automatically.

Status: Public preview (0.1.0-preview.3). The architecture and APIs are stable and tested, but this is still a pre-1.0 release and may receive API refinements based on feedback. Ships the development key provider plus the Azure Key Vault, AWS KMS and Google Cloud KMS providers. See Limitations.

What problem does it solve?

  • DB / backup / cloud-storage leaks — TDE/disk encryption protect the disk, not someone who can read the database (a DBA, a cloud operator, a leaked backup, a read-only data pipeline). Proteos encrypts the values themselves, so reads return ciphertext without the keys.
  • Accidental plaintext — an opt-in audit report and strict mode catch fields that aren't classified.
  • Compliance pressure (pseudonymisation, crypto-shredding) — keys live in a KMS; destroying a key makes its data unrecoverable.

It is not end-to-end encryption and does not protect against a compromised application server (see Limitations).

Packages

Package What it is
Proteos.Encryption.Abstractions Interfaces, attributes, value objects. No dependencies.
Proteos.Encryption.Core Crypto core: AES-256-GCM, HKDF, envelope, blind index, key providers. → Abstractions
Proteos.Encryption.EntityFrameworkCore EF Core integration: interceptors, fluent API, query helper, migration services. → Core
Proteos.Encryption.AzureKeyVault Azure Key Vault IKeyProvider adapter (RSA-OAEP-256). → Abstractions
Proteos.Encryption.AwsKms AWS KMS IKeyProvider adapter (symmetric Encrypt/Decrypt). → Abstractions
Proteos.Encryption.GoogleCloudKms Google Cloud KMS IKeyProvider adapter (symmetric Encrypt/Decrypt). → Abstractions

The compile-time analyzers ship inside the EF Core package, so referencing it is enough to get the warnings — no extra package to install.

<PackageReference Include="Proteos.Encryption.EntityFrameworkCore" Version="0.1.0-preview.3" />

Quick start

// 1. Register services
services.AddProteosEncryption(options =>
{
    options.UseLocalDevelopmentKeyProvider(); // DEV ONLY — never in production
    options.UseSingleTenant("demo");
});

// 2. Wire the DbContext
services.AddDbContext<AppDbContext>((sp, options) =>
{
    options.UseSqlite(connectionString);
    options.UseProteosEncryption(sp);
});

public class Customer
{
    public int Id { get; set; }

    [EncryptedEmail("email")] // encrypted + searchable
    public string Email { get; set; } = "";

    [Encrypted("phone")]      // encrypted only
    public string Phone { get; set; } = "";
}

// In AppDbContext.OnModelCreating, after configuring entities:
modelBuilder.UseProteosEncryptionModel();

db.Customers.Add(new Customer { Email = "max@example.com", Phone = "+49…" });
await db.SaveChangesAsync();                          // stored encrypted

var loaded = await db.Customers.FirstAsync();         // decrypted on load
loaded.Email; // "max@example.com"

var found = await db.Customers
    .WhereEncryptedEquals(db, x => x.Email, "max@example.com")  // searches a blind index
    .FirstOrDefaultAsync();

Full walkthrough: docs/getting-started.md.

Documentation

Samples

Three runnable samples live under samples/:

  • Proteos.SampleApi — the 5-minute quickstart: a minimal Web API (entity, DbContext, one service + controller) showing save/load and encrypted search.
  • Proteos.FeatureShowcase — a console app with ten scenarios covering every feature: save/load, encrypted search, audit, strict mode, key rotation, rotation-aware search, the re-encryption foundation, Azure/AWS setup (examples), and the analyzer rules.
  • Proteos.CrmSampleApi — a realistic CRM Web API: multiple related entities, EF Include, WhereEncryptedEquals and WhereEncryptedIn, strict mode, and admin endpoints for the audit report, ciphertext-at-rest preview and re-encryption status.

Production note

UseLocalDevelopmentKeyProvider() derives every key deterministically from a single root key — anyone with that key can reproduce every key. It is for development and tests only. Production needs a KMS-backed key provider (an IKeyProvider adapter). The Azure Key Vault, AWS KMS and Google Cloud KMS providers ship as separate packages (Proteos.Encryption.AzureKeyVault, Proteos.Encryption.AwsKms, Proteos.Encryption.GoogleCloudKms). See Key rotation.

Security

Found a vulnerability? Please report it privately — see SECURITY.md. Do not open a public issue for security reports.

License

Apache License 2.0. See LICENSE.

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
0.1.0-preview.3 40 6/16/2026