Keyczar high level encryption toolkit in C#

View project onGitHub

Keyczar dotnet

Implemented in C# 4 to match up with the Java/Python/C++ Keyczar standard features and will interoperate with them by default. Uses BouncyCastle as backend for most encryption. Official keyczar site:

Binary Release

Keyczar.dll and KeyczarTool.exe can be added to your project using NuGet

PM> Install-Package Keyczar -Pre

Although it's currently listed as pre-release in NuGet, Keyczar-dotnet currently has over 600 unit tests providing 90% code coverage and is tested against python and java Keyczar produced data as well. Because it is a security framework I'm going to keep it conservatively listed under pre-release until more eyes have been on the code.

Source Code for debugging NuGet provided binaries can be downloaded automatically in Visual Studio by configuring


KeyczarTool.exe provides the primary mechanism for creating and managing keysets. Calling KeyczarTool.exe from the command line without flags will display usage. Use it to create your key set first and use it to rotate your keys later.

Once you have your key set the basic api is very simple to use for encryption:

string plaintext = "Secret Message"
WebBase64 ciphertext;
using (var encrypter = new Encrypter("path_to_keyset"))
    ciphertext = encrypter.Encrypt(plaintext);
using (var crypter = new Crypter("path_to_keyset")){
    var plaintext2 = crypter.Decrypt(ciphertext)

and for signatures:

string plaintext = "A Message"
WebBase64 signature;
using (var signer = new Signer("path_to_keyset"))
    signature = signer.Sign(plaintext);
using (var verifier = new Verifier("path_to_keyset"))
    var isVerified = verifier.Verify(plaintext, signature);

See more usage and documentation in the Wiki.


  • .net 4.0 or mono v2.10





Source code can be obtained with git

git clone --recursive

The recursive flag pulls in the unit test data.


Visual Studio 2010 or Later / MSBuild

Master: .Net Build Status Stable: .Net Build Status

Dependencies should be downloaded automaticially with NuGet which is integrated into the solution. Build all should trigger nuget to download all dependencies from Visual Studio or MSBuild.

MonoDevelop 3.04 or Later / xbuild

Master:  Mono Build Status Stable:  Mono Build Status

Run script first to restore NuGet dependency then you may build from MonoDevelop with Build All or with xbuild, just set export EnableNuGetPackageRestore=true and run xbuild Keyczar.sln.

See more in Building in Depth.


Code contribution, reported issues or code reviews welcome! Pull requests are automatically built and tested with Travis CI.


  • Should interoperate with java/python/c++ with standard api
  • All unofficial/incompatible api changes are under the unofficial names space to be clear what won't interoperate with java/python/c++
  • Unofficial algorithms included are AES-GCM (KeyType=C#_AES_AEAD) and RSA-PSS (KeyType=C#_RSA_SIGN_PRIV) use the unofficial flag on the KeyczarTool.
  • VanillaSigner and VanillaVerifier are feature identical to java/python/c++ UnversionedSigner and UnversionedVerifer
  • The Functionality of java/python/c++ SessionEncrypter, SessionDecrypter, SignedSessionEncrypter, and SignedSessionDecrypter are provided by the C# SessionCrypter via constructor arguments.