SaQura .NET · v1.0.13 · NuGet

SaQura Cryptography Library

Introduction

SaQura provides AES-256-GCM, RSA-4096, password hashing and post-quantum encryption. Processing runs locally in your application; no data is sent to third parties. Namespace: SaQura.

Package: NuGet · SaQura. Byte-compatible with the Kotlin, Swift, Python and JS/TS SDKs (see the tabs above).

Requirements

  • Framework: .NET 8.0+
  • Platforms: Windows x64, Linux x64/ARM64, macOS (Intel/ARM), Android, iOS (.NET MAUI)
  • Memory: PQC key generation is compute-intensive — prefer Gen6 on mobile.

Installation

dotnet add package SaQura

Without a license SaQura runs in Free mode(watermark, 100-byte PQC limit). A license unlocks all features.

License activation

Option A: license key (online)

using SaQura;

var result = await ApiLicense.ActivateLicenseAsync("PRO-XXXX-XXXX-XXXX-XXXX");

if (result.Success)
{
    Console.WriteLine($"License active: {ApiLicense.CurrentTier}");
}

Option B: standard license file

using SaQura;

var result = await ApiLicense.ActivateLicenseFileAsync("license.lic");
if (result.Success)
{
    Console.WriteLine("License activated!");
}

Option C: distribution license (App/Play Store)

// MauiProgram.cs — activate license at startup (background)
Task.Run(async () =>
{
    if (ApiLicense.IsLicensed) return;
    using var stream = await FileSystem.OpenAppPackageFileAsync("license.lic");
    using var reader = new StreamReader(stream);
    var json = await reader.ReadToEndAsync();
    var result = await ApiLicense.ActivateLicenseFromJsonAsync(json);
});

App binding (optional, free): on request we bind your distribution license to your app – to the package name or bundle identifier (Android, iOS, macOS, Windows) and, on Android, Windows and macOS desktop, also to your signing certificate. An extracted license file then cannot be activated in any other app. The app identity is checked by the operating system and enforced in the SDK; binding requires a current SDK version, which we confirm when issuing the license. Linux has no OS-attested app identity – there we issue an unbound license. Contact us for a bound license.

Check license status

if (ApiLicense.IsLicensed)
{
    Console.WriteLine($"Tier: {ApiLicense.CurrentTier}");
    Console.WriteLine($"Days remaining: {ApiLicense.GetDaysRemaining()}");
    Console.WriteLine($"AES: {ApiLicense.IsAESAvailable}, Quantum: {ApiLicense.IsQuantumAvailable}");
}

API reference

Quantum generations

Self-describing generation headers (crypto-agile, backward-compatible). Gen2–7 follow the BSI-recommended profile; Gen8 adds X25519 + ML-KEM (NIST FIPS 203).

GenerationDescriptionUse case
Gen4FrodoKEM-1344 + AES-GCMGeneral purpose (recommended)
Gen6Mobile-optimisedMobile / on-device
Gen7Hybrid RSA+QuantumCritical infrastructure (Pro+)
Gen8X25519 + ML-KEM (FIPS 203)Quantum-safe (Pro+)

Post-quantum signatures

Signatures per NIST FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA). Signing from Pro; verification in all tiers.

Key classes

ApiLicense, AES, RSAKey, Quantum, QuantumSignature, PasswordHasher, StreamingExtensions.

Code examples

AES encryption

using SaQura;

var key = AES.GenerateAESKey();
var encrypted = await AES.EncryptAsync("Secret message", key);
var decrypted = await AES.DecryptAsync(encrypted, key);

Password-based encryption

using SaQura;

var salt = AES.GenerateSalt();                       // store with the data
var key  = AES.DeriveKeyFromPassword("user_password_123", salt);
var encrypted = await AES.EncryptAsync("Sensitive data", key);

var key2 = AES.DeriveKeyFromPassword("user_password_123", salt);
var decrypted = await AES.DecryptAsync(encrypted, key2);

RSA + digital signatures

using SaQura;
using System.Text;

var (privateKey, publicKey) = await RSAKey.NewKeyPairAsync();

var data = Encoding.UTF8.GetBytes("Document to sign");
var signature = await RSAKey.SignAsync(data, privateKey);
var isValid = await RSAKey.VerifyAsync(data, signature, publicKey);

Quantum-safe encryption (Pro+)

using SaQura;

var generation = Quantum.GetRecommendedGeneration(
    isMobile: false, requiresHighestSecurity: false);

var (publicKey, privateKey) = Quantum.GenerateKeyPair(
    QuantumStrength.Standard, generation);

Password hashing

using SaQura;

var hash = await PasswordHasher.HashPasswordAsync("MySecurePassword123!");
var ok = await PasswordHasher.VerifyPasswordAsync("MySecurePassword123!", hash);

Large-file streaming

Encrypts files of any size at constant memory— no ~2 GB limit. Its own SQS1 format, fully additive (from 1.0.10).

  • Two suites (auto): AES-256-GCM and ChaCha20-Poly1305.
  • Tamper-evident per segment.
  • PQC envelope (Pro+): a per-file key wrapped with a SaQura PQC key → GDPR crypto-shredding.
  • Tiering: streaming from Standard; PQC envelope from Pro.
using SaQura;

await StreamingExtensions.EncryptFileAsync(
    "input.mp4", "input.mp4.enc", key,
    suite: StreamCipherSuite.AesGcm);

await StreamingExtensions.DecryptFileAsync(
    "input.mp4.enc", "output.mp4", key);

The SQS1 format is byte-identical across all SaQura SDKs. Examples: saqura-samples.

Best practices

Key management

  • Never hard-code keys.
  • Rotate keys regularly.
  • Use platform secure storage (Keychain, KeyStore, DPAPI).
  • Treat private keys and license files as secrets.

Error handling

try
{
    var encrypted = await AES.EncryptAsync(plainText, key);
}
catch (LicenseException ex)   // feature not in current tier
{
    Console.WriteLine($"License error: {ex.Message} (Feature: {ex.Feature})");
}
catch (CryptographicException ex)
{
    Console.WriteLine($"Crypto error: {ex.Message}");
}

Troubleshooting

"License validation failed"

The license file is corrupt or modified — load a fresh .lic or reach us via our contact form.

License error / feature not available

The feature is not enabled in your tier (AES from Standard, PQC from Pro). Check currentTier before calling restricted APIs.

Questions? Use our contact form — please include version, platform and a short description. Never include encryption keys in support tickets.