Tayra

Appearance

Options

Tayra is configured through the TayraOptions class, which can be set via the AddTayra() overload that accepts an Action<TayraOptions>.

Configuration Example

cs
// TayraOptions — configures the Tayra encryption engine
//
// Property          Type        Default              Description
// ───────────────── ─────────── ──────────────────── ────────────────────────────
// KeyCacheDuration  TimeSpan    5 minutes            How long keys are held in the MemoryCache
// KeySizeInBits     int         256                  AES key size (128, 192, or 256)
// LicenseKey        string?     null                 ECDSA P-256 license key for production
var options = new TayraOptions
{
    KeyCacheDuration = TimeSpan.FromMinutes(5),
    KeySizeInBits = 256,
    LicenseKey = null,
};
anchor

Options Reference

PropertyTypeDefaultDescription
KeyCacheDurationTimeSpan5 minutesHow long encryption keys are held in the in-memory MemoryCache before being re-fetched from the key store.
KeySizeInBitsint256AES key size in bits. Valid values: 128, 192, 256.
LicenseKeystring?nullECDSA P-256 license key. Required in all environments -- request a free trial key at tayra.dev.
BlindIndexBlindIndexOptionsemptyBlind index configuration object.
MaskingMaskingOptionsemptyMasking configuration object.
AuditLoggingAuditLoggingOptionsminimized IDsControls default audit log identifier exposure. By default, key/subject IDs are prefix+hash minimized; set AuditLogging.LogFullIdentifiers = true to opt in to full identifiers.
MethodReturnsDescription
Entity<T>(Action<EntityTypeBuilder<T>>)TayraOptionsConfigures an entity type for PII protection and/or blind indexing using the fluent API.

Setting Options

Pass a configuration delegate to AddTayra():

cs
var fullServices = new ServiceCollection();
fullServices.AddTayra(opts =>
{
    opts.LicenseKey = licenseKey;

    // How long encryption keys are cached in memory (default: 5 minutes)
    opts.KeyCacheDuration = TimeSpan.FromMinutes(10);

    // AES key size — 128, 192, or 256 bits (default: 256)
    opts.KeySizeInBits = 256;
});
anchor

You can also bind options from IConfiguration using the standard .NET options pattern:

csharp
services.Configure<TayraOptions>(configuration.GetSection("Tayra"));
services.AddTayra(); // license key comes from config; chain a production key store as needed

With a corresponding appsettings.json:

json
{
  "Tayra": {
    "KeyCacheDuration": "00:10:00",
    "KeySizeInBits": 256,
    "LicenseKey": "your-license-key-here"
  }
}

Cache Duration Tradeoffs

The KeyCacheDuration setting controls how long encryption keys are held in memory after being retrieved from the key store.

Short cache (1-2 minutes)

Better for scenarios where keys change frequently, such as during key rotation. The tradeoff is more frequent calls to the key store, which increases latency and load.

Long cache (30+ minutes)

Reduces key store calls significantly, improving performance. However, after a key is deleted for crypto-shredding, cached copies of the key remain usable until the cache entry expires. The ShredAsync method on ITayra evicts the key from the local cache immediately, but other application instances may still have cached copies.

For most applications, the default of 5 minutes provides a good balance. In distributed deployments, keep the cache duration shorter to ensure crypto-shredding takes effect across all instances within an acceptable window.

Key Size

AES-256 (the default) is recommended for all new deployments. AES-128 and AES-192 are supported for compatibility with existing systems but offer a smaller security margin.

Key SizeBytesSecurity Level
128 bits16 bytesStandard
192 bits24 bytesHigh
256 bits32 bytesMaximum

Do Not Change Key Size After Deployment

Changing KeySizeInBits after data has been encrypted will cause decryption failures. The key size is not stored in the wire format -- it is determined by the key itself. If you need to change key sizes, use key rotation to re-encrypt existing data.

See Also