SaQura .NET · v1.0.13 · NuGet
SaQura Cryptography Library
Introduction
SaQura provides AES-256-GCM, RSA-4096, password hashing and post-quantum encryption. Processing runs locally in your application; no data is sent to third parties. Namespace: SaQura.
Package: NuGet · SaQura. Byte-compatible with the Kotlin, Swift, Python and JS/TS SDKs (see the tabs above).
Requirements
- Framework: .NET 8.0+
- Platforms: Windows x64, Linux x64/ARM64, macOS (Intel/ARM), Android, iOS (.NET MAUI)
- Memory: PQC key generation is compute-intensive — prefer Gen6 on mobile.
Installation
dotnet add package SaQuraWithout a license SaQura runs in Free mode(watermark, 100-byte PQC limit). A license unlocks all features.
License activation
Option A: license key (online)
using SaQura;
var result = await ApiLicense.ActivateLicenseAsync("PRO-XXXX-XXXX-XXXX-XXXX");
if (result.Success)
{
Console.WriteLine($"License active: {ApiLicense.CurrentTier}");
}Option B: standard license file
using SaQura;
var result = await ApiLicense.ActivateLicenseFileAsync("license.lic");
if (result.Success)
{
Console.WriteLine("License activated!");
}Option C: distribution license (App/Play Store)
// MauiProgram.cs — activate license at startup (background)
Task.Run(async () =>
{
if (ApiLicense.IsLicensed) return;
using var stream = await FileSystem.OpenAppPackageFileAsync("license.lic");
using var reader = new StreamReader(stream);
var json = await reader.ReadToEndAsync();
var result = await ApiLicense.ActivateLicenseFromJsonAsync(json);
});App binding (optional, free): on request we bind your distribution license to your app – to the package name or bundle identifier (Android, iOS, macOS, Windows) and, on Android, Windows and macOS desktop, also to your signing certificate. An extracted license file then cannot be activated in any other app. The app identity is checked by the operating system and enforced in the SDK; binding requires a current SDK version, which we confirm when issuing the license. Linux has no OS-attested app identity – there we issue an unbound license. Contact us for a bound license.
Check license status
if (ApiLicense.IsLicensed)
{
Console.WriteLine($"Tier: {ApiLicense.CurrentTier}");
Console.WriteLine($"Days remaining: {ApiLicense.GetDaysRemaining()}");
Console.WriteLine($"AES: {ApiLicense.IsAESAvailable}, Quantum: {ApiLicense.IsQuantumAvailable}");
}API reference
Quantum generations
Self-describing generation headers (crypto-agile, backward-compatible). Gen2–7 follow the BSI-recommended profile; Gen8 adds X25519 + ML-KEM (NIST FIPS 203).
| Generation | Description | Use case |
|---|---|---|
| Gen4 | FrodoKEM-1344 + AES-GCM | General purpose (recommended) |
| Gen6 | Mobile-optimised | Mobile / on-device |
| Gen7 | Hybrid RSA+Quantum | Critical infrastructure (Pro+) |
| Gen8 | X25519 + ML-KEM (FIPS 203) | Quantum-safe (Pro+) |
Post-quantum signatures
Signatures per NIST FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA). Signing from Pro; verification in all tiers.
Key classes
ApiLicense, AES, RSAKey, Quantum, QuantumSignature, PasswordHasher, StreamingExtensions.
Code examples
AES encryption
using SaQura;
var key = AES.GenerateAESKey();
var encrypted = await AES.EncryptAsync("Secret message", key);
var decrypted = await AES.DecryptAsync(encrypted, key);Password-based encryption
using SaQura;
var salt = AES.GenerateSalt(); // store with the data
var key = AES.DeriveKeyFromPassword("user_password_123", salt);
var encrypted = await AES.EncryptAsync("Sensitive data", key);
var key2 = AES.DeriveKeyFromPassword("user_password_123", salt);
var decrypted = await AES.DecryptAsync(encrypted, key2);RSA + digital signatures
using SaQura;
using System.Text;
var (privateKey, publicKey) = await RSAKey.NewKeyPairAsync();
var data = Encoding.UTF8.GetBytes("Document to sign");
var signature = await RSAKey.SignAsync(data, privateKey);
var isValid = await RSAKey.VerifyAsync(data, signature, publicKey);Quantum-safe encryption (Pro+)
using SaQura;
var generation = Quantum.GetRecommendedGeneration(
isMobile: false, requiresHighestSecurity: false);
var (publicKey, privateKey) = Quantum.GenerateKeyPair(
QuantumStrength.Standard, generation);Password hashing
using SaQura;
var hash = await PasswordHasher.HashPasswordAsync("MySecurePassword123!");
var ok = await PasswordHasher.VerifyPasswordAsync("MySecurePassword123!", hash);Large-file streaming
Encrypts files of any size at constant memory— no ~2 GB limit. Its own SQS1 format, fully additive (from 1.0.10).
- Two suites (auto):
AES-256-GCMandChaCha20-Poly1305. - Tamper-evident per segment.
- PQC envelope (Pro+): a per-file key wrapped with a SaQura PQC key → GDPR crypto-shredding.
- Tiering: streaming from Standard; PQC envelope from Pro.
using SaQura;
await StreamingExtensions.EncryptFileAsync(
"input.mp4", "input.mp4.enc", key,
suite: StreamCipherSuite.AesGcm);
await StreamingExtensions.DecryptFileAsync(
"input.mp4.enc", "output.mp4", key);The SQS1 format is byte-identical across all SaQura SDKs. Examples: saqura-samples.
Best practices
Key management
- Never hard-code keys.
- Rotate keys regularly.
- Use platform secure storage (Keychain, KeyStore, DPAPI).
- Treat private keys and license files as secrets.
Error handling
try
{
var encrypted = await AES.EncryptAsync(plainText, key);
}
catch (LicenseException ex) // feature not in current tier
{
Console.WriteLine($"License error: {ex.Message} (Feature: {ex.Feature})");
}
catch (CryptographicException ex)
{
Console.WriteLine($"Crypto error: {ex.Message}");
}Troubleshooting
"License validation failed"
The license file is corrupt or modified — load a fresh .lic or reach us via our contact form.
License error / feature not available
The feature is not enabled in your tier (AES from Standard, PQC from Pro). Check currentTier before calling restricted APIs.
Questions? Use our contact form — please include version, platform and a short description. Never include encryption keys in support tickets.