FoundationKit bundles two encryption modes behind a singleDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Orbis25/FoundationKit/llms.txt
Use this file to discover all available pages before exploring further.
IEncryptorService abstraction. The TweetNaCl / Curve25519 mode (EncryptCore / DecryptCore) provides asymmetric, authenticated encryption suitable for key exchange and encrypting AES configs sent from clients. The AES-CBC mode (AESEncrypt / AESDecrypt) handles bulk data encryption once both sides have agreed on a key and IV. A purpose-built middleware (FoundationKitAesEncryptorMiddleware) uses both together: the client sends an AES config encrypted with TweetNaCl in a request header, and the middleware decrypts the request body transparently before controllers see it.
Setup
RegisterIEncryptorService by calling AddFoundationKitEncryptor in Program.cs and providing an EncryptorOption instance.
EncryptorOption fields:
| Property | Type | Description |
|---|---|---|
PublicKey | string? | Base64-encoded Curve25519 public key |
PrivateKey | string? | Base64-encoded Curve25519 private key |
Enconding | Encoding? | Text encoding used during encryption/decryption (defaults to UTF-8) |
HeaderAes | string? | HTTP header name that carries the TweetNaCl-encrypted AES config (e.g. "AES") |
AddFoundationKitEncryptor accepts an optional ServiceLifetime parameter that controls how EncryptorOption is registered (defaults to Singleton). IEncryptorService itself is always registered as Scoped:
IEncryptorService methods
InjectIEncryptorService anywhere in your application:
TweetNaCl / Curve25519 encryption
pbKey / pvKey arguments:
TweetNaCl key pairs are 32-byte Curve25519 keys. To generate a pair, use the
TweetNaCl.Sharpen library directly: TweetNaCl.CryptoBoxKeypair(out byte[] publicKey, out byte[] privateKey). Store both as base64 strings in your secret store. The service uses CryptoBoxBeforenm to compute a shared key, so both sides must hold the same key pair or perform a proper key exchange first.AES-CBC encryption
AesConfig
AesConfig carries the symmetric key material for a single AES operation:
encryptedConfig in the configured HTTP header on every request, and the server decrypts it to retrieve Key and Iv for the request body.
AES Middleware
FoundationKitAesEncryptorMiddleware integrates the two-layer encryption scheme into the ASP.NET Core pipeline. On every request it:
Read the AES config header
Reads the HTTP header named by
EncryptorOption.HeaderAes (e.g. AES). Returns 401 if absent.Decrypt the AES config
Calls
DecryptCore<AesConfig> on the header value to recover the AesConfig. Returns 401 if decryption fails.Decrypt the request body
Deserializes the body as
RequestAesBase (expects a { "Data": "<base64>" } envelope), then calls AESDecrypt with the recovered config. Returns 400 if the body is missing or malformed.UseRouting and before MapControllers:
RequestAesBase:
Controller helper — AesOk<T>
EncryptorHelper.AesOk<T> is an extension method on ControllerBase that encrypts your response object using the same AES config the client sent in the request header, and wraps it in a RequestAesBase envelope:
401 Unauthorized if the header is missing or cannot be decrypted, 400 Bad Request if encryption fails, and 200 OK with the body { "Data": "<base64>" } on success.
Real-world usage from PeopleController:
Low-level helpers — AesEncrytionHelper
AesEncrytionHelper (in Foundationkit.Extensions.Encryptions.AES) provides static methods for direct byte-level AES operations:
| Method | Signature | Description |
|---|---|---|
EncryptStringToBytesAes | (string plainText, byte[] key, byte[] iv) → byte[] | AES-CBC encrypt plain text to cipher bytes |
DecryptStringFromBytesAes | (byte[] cipherText, byte[] key, byte[] iv) → string | AES-CBC decrypt cipher bytes to plain text |
EncryptECB | (string plainText, byte[] key) → byte[] | AES-ECB encrypt (128-bit key, PKCS7 padding) |
DencryptECB | (byte[] cipherText, byte[] key) → string | AES-ECB decrypt |
HexStringToByteArray | (string hex) → byte[] | Convert hex string (e.g. "AABBCC") to byte array |