If you just need to encrypt data in your system in a dependable and best-practice way, then this library will do you fine. There are, however, some scenarios that it is less suitable for:
There are ways you can work around all of these limitations by working closer with the underlying technologies and make a number of choices. For example, you can use the streaming APIs, you may forgo Authenticated Encryption or use the same symmetric key for multiple items. All of these approaches have secrurity implications that you will need to assess for your specific scenario.
This package relies on Azure Key Vault to encrypt the symmetric key and to sign the hash. It expects two fixed keys in Azure Key Vault - one for the encryption part and one for the
The encrypted data contains all the references and key identifiers it needs to find the correct keys in key vault, validate the signature and decrypt the content.
That comes with a fixed overhead of 353 bytes. The encrypted content itself has the same size as the input content, except it goes up in 16 byte increments.
Examples
..explain what is is... The approach taken here varies slightly from the canonical implementation. In order to generate the MAC, the library will create a hash of the encrypted content and the IV and use Azure Keyvault to sign and verify this, rather than doing it locally with a another key.
Span not possible with ICryptoTransform, so having to use byte[] in certain places. See [].Net Issue](https://github.com/dotnet/runtime/issues/38764).