PostQuantum.DataProtection.Aws 0.1.0-preview.7

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher.
This is a prerelease version of PostQuantum.DataProtection.Aws. 
dotnet add package PostQuantum.DataProtection.Aws --version 0.1.0-preview.7
                    


                    

                
NuGet\Install-Package PostQuantum.DataProtection.Aws -Version 0.1.0-preview.7
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="PostQuantum.DataProtection.Aws" Version="0.1.0-preview.7" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="PostQuantum.DataProtection.Aws" Version="0.1.0-preview.7" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="PostQuantum.DataProtection.Aws" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add PostQuantum.DataProtection.Aws --version 0.1.0-preview.7
                    


                    

                
#r "nuget: PostQuantum.DataProtection.Aws, 0.1.0-preview.7"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package PostQuantum.DataProtection.Aws@0.1.0-preview.7
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=PostQuantum.DataProtection.Aws&version=0.1.0-preview.7&prerelease
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=PostQuantum.DataProtection.Aws&version=0.1.0-preview.7&prerelease
                    


                            Install as a Cake Tool

PostQuantum.DataProtection.Aws

License: MIT

AWS Secrets Manager-backed IPostQuantumKeyStore for PostQuantum.DataProtection.

⚠️ Preview (0.1.0-preview.4). Tracks the core preview cadence.

Install

dotnet add package PostQuantum.DataProtection.Aws --prerelease

Wire it up

using Amazon;

builder.Services.AddPostQuantumKeyManagement(...);
builder.Services
    .AddDataProtection()
    .ProtectKeysWithPostQuantum(o =>
    {
        o.KeyStorePath = "keys/unused-pq-keystore.txt"; // ignored when AWS store is registered
    });

// Replace the file store with AWS Secrets Manager.
builder.Services.AddPostQuantumDataProtectionAws(o =>
{
    o.Region = RegionEndpoint.USEast1;
    // o.Credentials = ...   // optional; defaults to the AWS SDK credential chain
    // o.SecretPrefix = "pq-dp-prod";   // optional; defaults to "pq-dataprotection"
});

Or, with the AWS SDK default credential / region resolution:

builder.Services.AddPostQuantumDataProtectionAws();

What goes into Secrets Manager

Secret name Contents
pq-dataprotection-{keyId} The PostQuantumKeyPair.Encode() token
pq-dataprotection-active The active keypair id

The PQ secret key is wrapped under the host KEK before it reaches AWS — AWS sees opaque bytes.

Required IAM permissions

The credential principal needs:

  • secretsmanager:GetSecretValue
  • secretsmanager:ListSecrets
  • secretsmanager:PutSecretValue
  • secretsmanager:CreateSecret

Scope to the secret name pattern (pq-dataprotection-* by default).

The store never deletes or updates secret metadata; pruning historical keypairs is a deliberate operator action. See KNOWN-GAPS.md §5.

Cost

  • Startup: 1 List + N Get calls. With 100 keypairs that is 101 API calls.
  • Rotation: 2 Put/Create calls per rotation.
  • Steady state: zero — the store caches in memory after first load.

Secrets Manager pricing in us-east-1 at the time of writing is $0.40 per secret per month plus $0.05 per 10 000 API calls. Even a fleet with rapid rotation (daily) and a 100-replica cold start matrix sits comfortably below $5/month per ring.

To God be the glory — 1 Corinthians 10:31.

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
0.1.0-preview.7 55 6/4/2026
0.1.0-preview.6 51 6/4/2026
0.1.0-preview.5 59 6/4/2026
0.1.0-preview.4 52 6/4/2026

0.1.0-preview.4: First public preview. AWS Secrets Manager-backed IPostQuantumKeyStore for PostQuantum.DataProtection. Parallel structure to PostQuantum.DataProtection.AzureKeyVault — same secret-prefix model, same crash-safe write order (keypair secret before active-pointer secret), same narrow ISecretsManagerClient seam for unit tests.