A secure, production-oriented gRPC-based tokenization service supporting format-preserving encryption (FPE), HMAC, hashing, and AES-GCM encryption.
The service integrates with Vault for key management and supports tenant-aware key rotation and deterministic field-level key derivation.
The service is based on netstandard 2.0 to be compatible with a majority of versions
used in legacy environments.
- gRPC API (Unary + Bidirectional Streaming)
- Multi-tenant key management
- HKDF-based per-field key derivation
- AES-256-GCM encryption
- SHA-256 hashing
- HMAC-SHA256 tokenization
- Format-Preserving Encryption (FF1 / FF3-1)
- Optional reversible token storage
- Key rotation support
- Vault-backed key provider
- Keycloak JWT validation (Authorization Interceptor)
- Full integration and unit tests
The service follows clean separation of concerns:
IKeyProvider– abstraction for key managementITokenStore– abstraction for token persistenceIFpeEngine– pluggable FPE engine- gRPC service layer
- Crypto abstraction layer
Key derivation is performed per:
tenant + keyId + field
using HKDF to ensure strict cryptographic isolation.
- gRPC
- BouncyCastle (Crypto)
- Vault (Key management)
- Keycloak (JWT validation)
- xUnit (Testing)
| Type | Reversible | Store Required |
|---|---|---|
| Random | Yes | Yes |
| Hash | No | Optional |
| HMAC | No | Optional |
| FPE | Yes | No |
| Encrypted | Yes | No |
Keys can be rotated per tenant.
New tokens use the active key ID while older tokens remain valid
as long as their key material is retained.
The project includes:
- Unit tests
- Integration tests
- End-to-end tests (Vault + Keycloak)
Run:
dotnet test
Architecture diagram icons by Icons8 (used under free license).