diff --git a/DigitalData.Core.Security/CryptFactory.cs b/DigitalData.Core.Security/CryptFactory.cs
index 3e52517..a682990 100644
--- a/DigitalData.Core.Security/CryptFactory.cs
+++ b/DigitalData.Core.Security/CryptFactory.cs
@@ -23,8 +23,38 @@ namespace DigitalData.Core.Security
 
         public bool TryGetRSADecryptor(string key, out IRSADecryptor? decryptor) => _decryptors.TryGetValue(key, out decryptor);
 
+        public static readonly string DefaultEncryptedPrivateKeyFileTag = "enc-private";
+
+        public static readonly string DefaultPrivateKeyFileTag = "private";
+
+        public static readonly string DefaultPublicKeyFileTag = "public";
+
+        public static readonly IEnumerable<string> KeyFileTags = new string[] { DefaultEncryptedPrivateKeyFileTag, DefaultPrivateKeyFileTag, DefaultPublicKeyFileTag };
+
+        private static readonly Lazy<IEnumerable<string>> LazyLowerFileTags = new(() => KeyFileTags.Select(tag => tag.ToLower()));
+
+        //TODO: make the validation using regex
         public static string DefaultRSADecryptorKeyFormatter(IRSADecryptor decryptor, string issuer, string audience, string separator = "-_-")
-        {
+        {            
+            void ValidateForbidden(string value, string paramName)
+            {
+                if (Path.GetInvalidFileNameChars().Any(value.Contains) || LazyLowerFileTags.Value.Any(tag => value.ToLower().Contains(tag)))
+                    throw new ArgumentException($"RSA decryptor key name creation is forbidden. The {paramName} contains forbidden characters that are not allowed in file naming.", paramName);
+            }
+
+            static void ValidateSeparator(string value, string paramName, string separator)
+            {
+                if (value.Contains(separator))
+                    throw new ArgumentException($"RSA decryptor key name creation is forbidden. The {paramName} contains separator characters ({separator}) that are not allowed in file naming.", paramName);
+            }
+
+            ValidateForbidden(issuer, nameof(issuer));
+            ValidateForbidden(audience, nameof(audience));
+            ValidateForbidden(separator, nameof(separator));
+
+            ValidateSeparator(issuer, nameof(issuer), separator);
+            ValidateSeparator(audience, nameof(audience), separator);
+
             var sb = new StringBuilder(issuer.Length + audience.Length + separator.Length * 2 + 20);
             sb.Append(issuer).Append(separator).Append(audience).Append(separator);
 
@@ -33,10 +63,7 @@ namespace DigitalData.Core.Security
             else
                 sb.Append("private");
 
-            var rsaKey = sb.Append(".pem").ToString();
-
-            if (Path.GetInvalidFileNameChars().Any(rsaKey.Contains))
-                throw new ArgumentException("RSA decryptor key name creation is forbidden. The key contains forbidden characters that are not allowed in file naming.", nameof(rsaKey));
+            var rsaKey = sb.Append(".pem").ToString();                      
 
             return rsaKey;
         }