Serilog.Sinks.File.Encrypt
0.0.0-alpha.0.14
This is a prerelease version of Serilog.Sinks.File.Encrypt.
There is a newer version of this package available.
See the version list below for details.
See the version list below for details.
dotnet add package Serilog.Sinks.File.Encrypt --version 0.0.0-alpha.0.14
NuGet\Install-Package Serilog.Sinks.File.Encrypt -Version 0.0.0-alpha.0.14
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Serilog.Sinks.File.Encrypt" Version="0.0.0-alpha.0.14" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="Serilog.Sinks.File.Encrypt" Version="0.0.0-alpha.0.14" />
<PackageReference Include="Serilog.Sinks.File.Encrypt" />
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add Serilog.Sinks.File.Encrypt --version 0.0.0-alpha.0.14
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: Serilog.Sinks.File.Encrypt, 0.0.0-alpha.0.14"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package Serilog.Sinks.File.Encrypt@0.0.0-alpha.0.14
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=Serilog.Sinks.File.Encrypt&version=0.0.0-alpha.0.14&prerelease
#tool nuget:?package=Serilog.Sinks.File.Encrypt&version=0.0.0-alpha.0.14&prerelease
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
Serilog.Sinks.File.Encrypt
A Serilog sink that encrypts log files using RSA and AES encryption. This package provides secure logging by encrypting log data before writing to disk, ensuring sensitive information remains protected.
Features
- Hybrid Encryption: Uses RSA encryption for key exchange and AES for efficient data encryption
- Seamless Integration: Plugs directly into Serilog's file sink using lifecycle hooks
- Individual Message Encryption: Each log entry is encrypted separately with its own AES key and IV
- CLI Tool Integration: Companion CLI tool for key generation and log decryption
- High Performance: Optimized encryption with chunked processing
Installation
Install the package via NuGet:
dotnet add package Serilog.Sinks.File.Encrypt
For key management and decryption capabilities, also install the CLI tool:
dotnet tool install --global Serilog.Sinks.File.Encrypt.Cli
Quick Start
1. Generate RSA Key Pair
First, generate an RSA key pair using the CLI tool:
serilog-encrypt generate --output ./keys
This creates two files:
public_key.xml: Used for encryption (safe to include with your application)private_key.xml: Used for decryption (keep secure, do not distribute)
2. Configure Serilog with Encryption
using Serilog;
using Serilog.Sinks.File.Encrypt;
// Load your public key (this example reads from a file)
string publicKeyXml = File.ReadAllText("./keys/public_key.xml");
// Configure Serilog with encryption
Log.Logger = new LoggerConfiguration()
.WriteTo.File(
path: "logs/app.log",
hooks: new EncryptHooks(publicKeyXml))
.CreateLogger();
// Log as usual
Log.Information("This message will be encrypted!");
Log.CloseAndFlush();
3. Decrypt Logs
Use the CLI tool to decrypt your log files:
serilog-encrypt decrypt --key ./keys/private_key.xml --file logs/app.log --output logs/app-decrypted.log
Advanced Usage
Programmatic Key Generation
You can generate keys programmatically using the EncryptionUtils class:
using Serilog.Sinks.File.Encrypt;
// Generate a new RSA key pair
var (publicKey, privateKey) = EncryptionUtils.GenerateRsaKeyPair(2048);
// Save keys to files
File.WriteAllText("public_key.xml", publicKey);
File.WriteAllText("private_key.xml", privateKey);
// Use the public key for encryption
Log.Logger = new LoggerConfiguration()
.WriteTo.File("logs/app.log", hooks: new EncryptHooks(publicKey))
.CreateLogger();
Programmatic Decryption
Decrypt log files programmatically:
using Serilog.Sinks.File.Encrypt;
string privateKeyXml = File.ReadAllText("private_key.xml");
string decryptedContent = EncryptionUtils.DecryptLogFile("logs/app.log", privateKeyXml);
Console.WriteLine(decryptedContent);
// Or decrypt directly to a file
EncryptionUtils.DecryptLogFileToFile("logs/app.log", privateKeyXml, "logs/decrypted.log");
Integration with Configuration
You can integrate encryption with Serilog configuration files:
// Load public key from configuration, environment, or secure storage
var configuration = new ConfigurationBuilder()
.AddJsonFile("appsettings.json")
.Build();
string publicKeyXml = configuration["Logging:PublicKey"];
Log.Logger = new LoggerConfiguration()
.ReadFrom.Configuration(configuration)
.WriteTo.File(
path: "logs/app.log",
hooks: new EncryptHooks(publicKeyXml))
.CreateLogger();
File Format
The encrypted log files use a custom format:
[HEADER_MARKER][key_length][iv_length][encrypted_aes_key][encrypted_aes_iv]
[CHUNK_MARKER][data_length][encrypted_log_data]
[CHUNK_MARKER][data_length][encrypted_log_data]
...
Each log chunk is encrypted with AES using a unique key and IV that are encrypted with RSA. This format allows for secure storage while maintaining the ability to decrypt individual log entries.
Security Considerations
- Key Management: Keep private keys secure and never include them in your application deployment
- Key Size: Default RSA key size is 2048 bits. For enhanced security, use 4096 bits
- Storage: Store private keys in secure key management systems in production
- Access Control: Restrict access to encrypted log files and private keys
- Rotation: Consider implementing key rotation strategies for long-term deployments
Performance
The encryption process is optimized for logging scenarios:
- Minimal overhead during log writing
- Chunked encryption for better performance
- Efficient memory usage with streaming
- Compatible with Serilog's async logging (TODO)
Examples
Basic Console Application
using Serilog;
using Serilog.Sinks.File.Encrypt;
class Program
{
static void Main()
{
// Generate keys (do this once, store securely)
var (publicKey, privateKey) = EncryptionUtils.GenerateRsaKeyPair();
// Configure encrypted logging
Log.Logger = new LoggerConfiguration()
.WriteTo.Console()
.WriteTo.File(
path: "logs/app-.log",
rollingInterval: RollingInterval.Day,
hooks: new EncryptHooks(publicKey))
.CreateLogger();
Log.Information("Application started");
Log.Warning("This is a warning");
Log.Error("This is an error");
Log.CloseAndFlush();
// Later, decrypt the logs
string decrypted = EncryptionUtils.DecryptLogFile("logs/app-20231123.log", privateKey);
Console.WriteLine("Decrypted content:");
Console.WriteLine(decrypted);
}
}
Web Application
var builder = WebApplication.CreateBuilder(args);
// Load public key from configuration
string publicKeyXml = builder.Configuration["Logging:PublicKeyXml"];
builder.Host.UseSerilog((context, configuration) =>
configuration
.ReadFrom.Configuration(context.Configuration)
.WriteTo.File(
path: "logs/webapp-.log",
rollingInterval: RollingInterval.Day,
retainedFileCountLimit: 30,
hooks: new EncryptHooks(publicKeyXml)));
var app = builder.Build();
app.MapGet("/", (ILogger<Program> logger) =>
{
logger.LogInformation("Home page accessed at {Timestamp}", DateTime.UtcNow);
return "Hello World!";
});
app.Run();
CLI Tool
The companion CLI tool (Serilog.Sinks.File.Encrypt.Cli) provides key management and decryption capabilities:
Generate Keys
serilog-encrypt generate --output /path/to/keys
Decrypt Logs
serilog-encrypt decrypt --key private_key.xml --file log.txt --output decrypted.txt
For detailed CLI documentation, see the CLI tool documentation.
Requirements
- .NET 8.0 or higher
- Serilog.Sinks.File package
- RSA key pair for encryption/decryption in XML format
License
This project is licensed under the MIT License. See the LICENSE file for details.
Contributing
Contributions are welcome! Please feel free to submit issues, feature requests, or pull requests.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
net10.0
- Serilog.Sinks.File (>= 7.0.0)
-
net8.0
- Serilog.Sinks.File (>= 7.0.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
| Version | Downloads | Last Updated |
|---|---|---|
| 2.0.0 | 658 | 12/2/2025 |
| 1.0.0 | 405 | 12/1/2025 |
| 0.50.1 | 171 | 11/27/2025 |
| 0.0.0-alpha.0.27 | 126 | 11/27/2025 |
| 0.0.0-alpha.0.17 | 135 | 11/25/2025 |
| 0.0.0-alpha.0.14 | 130 | 11/24/2025 |
| 0.0.0-alpha.0.13 | 126 | 11/24/2025 |
| 0.0.0-alpha.0.12 | 133 | 11/24/2025 |