Encryption at Rest
Every artifact you upload to NugetHosting is encrypted before storage, ensuring your packages remain confidential.
Overview
NugetHosting provides per-tenant encryption at rest for all uploaded artifacts. This means:
- Every NuGet package (.nupkg) is encrypted before being stored
- Every Docker container layer is encrypted before being stored
- Each user has their own unique encryption key
- Files are encrypted with AES-256-GCM, a military-grade standard
- Encryption is automatic — no configuration required on your part
No action required: Encryption is handled transparently. Your packages are encrypted during upload and decrypted during download — your workflow stays exactly the same.
How It Works
Upload (Encryption)
- You push a NuGet package or Docker image via your CLI tool
- NugetHosting validates your credentials and plan limits
- Your unique encryption key is retrieved (or created if first upload)
- The file is encrypted using AES-256-GCM with your key
- The encrypted file is stored in our cloud storage
Download (Decryption)
- You restore or pull a package via your CLI tool
- NugetHosting validates your credentials
- The encrypted file is retrieved from storage
- Your encryption key decrypts the file
- The original, unmodified file is served to you
Your file → Encrypt (AES-256-GCM) → Cloud Storage
Cloud Storage → Decrypt (AES-256-GCM) → Your file
Encryption Algorithm
| Property | Detail |
|---|---|
| Algorithm | AES-256-GCM |
| Key Size | 256 bits (32 bytes) |
| IV/Nonce | 12 bytes (randomly generated per file) |
| Auth Tag | 16 bytes (integrity verification) |
| Standard | NIST SP 800-38D approved |
| Overhead per file | 28 bytes (negligible) |
AES-256-GCM is the same standard used in TLS 1.3 (which secures HTTPS connections), AWS S3 encryption, and Google Cloud Storage encryption.
Key Management
NugetHosting uses a two-tier key hierarchy to protect your data:
1. Master Key (Platform Level)
A single AES-256 key that protects all per-user keys. Stored securely in the platform's environment, never in the database.
2. Per-User Key (Tenant Level)
A unique AES-256 key generated for each user. This key is encrypted with the master key and stored in the database. Your files are encrypted with this key.
Why per-user keys? If one user's key were compromised, only that user's data would be at risk — not the entire platform's data. This provides defense-in-depth isolation between tenants.
What Is Encrypted
| Data Type | Encrypted? | Details |
|---|---|---|
| NuGet packages (.nupkg) | ✓ Yes | Full file encrypted |
| Docker image layers | ✓ Yes | Each layer encrypted individually |
| Package metadata | No | Names, versions, descriptions stored in DB for search |
| Docker manifests | No | Required unencrypted for Docker protocol compatibility |
FAQ
Do I need to configure anything?
No. Encryption is automatic and transparent. Your keys are generated on your first upload and managed by the platform.
Will encryption affect my upload/download speed?
The impact is negligible. AES-256-GCM is hardware-accelerated on modern processors (via AES-NI instructions), adding less than 1ms of latency per operation for typical package sizes.
Can NugetHosting access my packages?
Technically, yes — since the platform manages the encryption keys (server-side encryption). This is required for compatibility with NuGet and Docker protocols. For a fully zero-knowledge solution, client-side encryption would be needed, but this would break standard tooling compatibility.
What happens if I delete my account?
Your encryption key and all encrypted data are permanently deleted. There is no way to recover your packages after account deletion.
Are packages uploaded before encryption was enabled still protected?
Pre-existing packages remain unencrypted but functional. New uploads are automatically encrypted. We plan to offer a migration tool to encrypt existing packages in the future.