Security
SquidStd ships focused primitives for the three common secret-handling needs: hashing credentials, protecting payloads with a key, and storing named secrets.
Steps
Hash passwords with
HashUtils(PBKDF2-SHA256). Never store plaintext.var stored = HashUtils.HashPassword(password); var ok = HashUtils.VerifyPassword(password, stored);Protect payloads through
ISecretProtector. The default (SquidStd.Services.Core) is AES-GCM; for managed keys useRegisterKmsSecretProtectorfromSquidStd.Secrets.Aws.byte[] protectedData = protector.Protect(plaintext); byte[] clear = protector.Unprotect(protectedData);Store named secrets behind
ISecretStore. The default is file-backed; useRegisterAwsSecretsManagerStore(SquidStd.Secrets.Aws) for AWS Secrets Manager.await store.SetAsync("db/password", value); var secret = await store.GetAsync("db/password");Use a PGP keyring for armored encryption/signing by registering a key store with
RegisterPgpfromSquidStd.Crypto.container.RegisterPgp(resolver => myPgpKeyStore);
Recommendation
Use HashUtils for credentials, ISecretProtector (AES-GCM locally, KMS in the
cloud) for encrypting blobs, and ISecretStore for named secrets - backed by
files in development and AWS Secrets Manager in production.