Stratara.Security 3.1.2

.NET 10.0

dotnet add package Stratara.Security --version 3.1.2

NuGet\Install-Package Stratara.Security -Version 3.1.2

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="Stratara.Security" Version="3.1.2" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

<PackageVersion Include="Stratara.Security" Version="3.1.2" />
                    

                            Directory.Packages.props

<PackageReference Include="Stratara.Security" />
                    

                            Project file

For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.

paket add Stratara.Security --version 3.1.2

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: Stratara.Security, 3.1.2"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

#:package Stratara.Security@3.1.2

#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.

#addin nuget:?package=Stratara.Security&version=3.1.2
                    

                            Install as a Cake Addin

#tool nuget:?package=Stratara.Security&version=3.1.2
                    

                            Install as a Cake Tool

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

Stratara.Security

License: FSL-1.1-MIT (Functional Source License — source-available; converts to MIT after 2 years). Not OSI-approved OSS.

Dependency-light key store and envelope encryption for Stratara. Provides a production IKeyStore with KEK-wrapped, versioned per-scope data-encryption keys (rotation, revoke, and crypto-shred), a file-backed master-key provider, and an AES-GCM blob encryptor — referencing only Stratara.Abstractions + BCL crypto. No EF Core, RabbitMQ, Redis, or cloud SDKs in the graph.

Quick start

// appsettings / secrets:
// "Stratara": { "KeyStore": { "MasterKeyBase64": "<openssl rand -base64 32>", "StorePath": "/var/run/secrets/keystore.json" } }

builder.Services.AddStrataraFileKeyStore(builder.Configuration);

// Encrypt a blob bound to a tenant scope + purpose:
var scope = new KeyScope(DataSensitivityLevel.TenantScoped, tenantId: "acme-corp");
await using var encrypted = await encryptor.EncryptAsync(plainStream, scope, purpose: "attachment");
await using var plain = await encryptor.DecryptAsync(encrypted, scope);

What's inside

EnvelopeFileKeyStore (IKeyStore) — random 32-byte DEK per scope/version, KEK-wrapped with AES-256-GCM (wrap AAD bound to the key id, so a wrapped DEK can't be moved to another scope). The store file holds only wrapped DEKs + metadata, never plaintext. RotateAsync adds a version; RevokeAsync makes one version undecryptable; EraseScopeAsync deletes all versions for a scope (GDPR Art. 17 crypto-shred). DEKs are zeroed after use; the store file is written 0600 on Unix.
FileMasterKeyProvider (IMasterKeyProvider) — KEK from MasterKeyBase64, validated to decode to exactly 32 bytes (AES-256) at startup. The custody seam: swap for an HSM / KMS / vault provider later without touching the stored data.
AesGcmSecureBlobEncryptor (ISecureBlobEncryptor) — AES-GCM stream encryption with a purpose-bound AAD ({tenant}||{purpose}) and a versioned, self-describing format (v2 leading byte). Reads legacy streams without the version byte; set Stratara:BlobEncryption:LegacyBlobsCarryPurpose to match the legacy layout.
DummyKeyStore — Development-only deterministic fallback (throws outside Development).

Key id schema

{level}:{tenant}:{user}:v{N} — e.g. TenantScoped:acme-corp::v1. GetOrCreateCurrentKeyAsync returns the highest non-revoked version (creating v1 if none); RotateAsync creates v{N+1}.

Dependencies

Stratara.Abstractions
Stratara.Diagnostics
Microsoft.Extensions.{Configuration,DependencyInjection,Hosting,Logging}.Abstractions
Microsoft.Extensions.Options (+ Options.ConfigurationExtensions)

Product	Compatible and additional computed target framework versions.
.NET	net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed.

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

net10.0
- Microsoft.Extensions.Configuration.Abstractions (>= 10.0.8)
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 10.0.8)
- Microsoft.Extensions.Hosting.Abstractions (>= 10.0.8)
- Microsoft.Extensions.Logging.Abstractions (>= 10.0.8)
- Microsoft.Extensions.Options (>= 10.0.8)
- Microsoft.Extensions.Options.ConfigurationExtensions (>= 10.0.8)
- Stratara.Abstractions (>= 3.1.2)
- Stratara.Diagnostics (>= 3.1.2)

NuGet packages (2)

Showing the top 2 NuGet packages that depend on Stratara.Security:

Package	Downloads
Stratara.Infrastructure Infrastructure glue for the Stratara framework — authorization decorators, configuration providers, and DI composition helpers that wire Mediator, Outbox, Identity, and EF Core into a hosted app.	461
Stratara.Testing Test doubles and assertion helpers for applications built on the Stratara framework — an in-memory IKeyStore, an in-memory IMessageBus, a preset ISessionContextProvider, deterministic tenant ids, and a given/when/then aggregate rehydration harness. Drop the Postgres/RabbitMQ testcontainers for unit tests.	51

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last Updated
3.1.2	74	6/5/2026
3.1.1	548	6/1/2026
3.1.0	108	5/30/2026

### Added

- **New package `Stratara.Testing`** — test doubles and assertion helpers so consumers can
unit-test Stratara-based code without Postgres or RabbitMQ testcontainers. Reference it from
test projects only.
- `AggregateTestHarness<T>` + `Aggregate.Rehydrate<T>(...)` — given/when/then rehydration of an
   aggregate from events using the same reflection-based `Apply(...)` dispatch as the production
   aggregation service. It throws on an event with no matching `Apply` overload so a forgotten or
   mistyped overload fails the test; opt back into the production-lenient skip with
   `IgnoringUnmappedEvents()`.
- `InMemoryKeyStore` — an `IKeyStore` that mints random 256-bit DEKs per `KeyScope` and supports
   rotation / revocation / scope-erasure without a master KEK or key file.
- `TestBlobEncryptor.CreateAesGcm()` — the real AES-GCM `ISecureBlobEncryptor` over an
   `InMemoryKeyStore`, so blob round-trips exercise production encryption.
- `InMemoryMessageBus` — an `IMessageBus` with synchronous in-process dispatch and a `Published`
   list for assertions.
- `TestSessionContext` / `TestSessionContextProvider` — preset Actor/Subject `SessionContext`
   values and an `ISessionContextProvider` double.
- `TestTenants.Of("acme")` — stable, deterministic tenant/user ids from readable slugs.
   `TestSessionContext` sets both correlation and causation ids so the context can drive
   event-store writes.
- `TestEvent.Create(payload, ...)` — wrap an event payload in `IEvent<T>` with realistic
   metadata; `ProjectionTester.HandleAsync(projection, event)` — invoke a projection's private
   `HandleAsync` handler directly to unit-test it against mocked repositories.
- **New package `Stratara.Testing.EntityFrameworkCore`** — spins up the **real** event-sourcing
write stack (`IEventSource`, `IAggregationService`, snapshots, the EF Core write store) against a
shared in-memory SQLite database in one call, so tests exercise production code paths without
Postgres or Docker. Reference it from test projects only.
- `EventStoreTestHost.Create(...)` — owns the SQLite connection + service provider; exposes
   `ExecuteAsync(IEventSource)`, `AggregateAsync<T>(streamId)`, the preset `Session`, and the
   recording `Outbox`.
- `AddStrataraTestingEventStore<TWriteDbContext>(connection, tenantId)` — the lower-level DI
   extension; `StrataraTestWriteDbContext` — a ready-made concrete write context;
   `RecordingEventBundleOutboxDispatcher` — captures emitted bundles for assertions.
- The lockstep family grows from 22 to 24 packable packages.