Releases: Jastchi/dotseal
Release list
v0.3.1 — Maintenance release
Maintenance
- Removed upper version cap on
cryptographyto allow v49 and later
VS Code Extension v0.1.3
Adds an icon to the dotseal extension.
Changes
- Extension icon: dotseal now has an icon displayed in the VS Code Extensions panel.
Installation
Download dotseal-vscode-0.1.3.vsix below and install via Extensions: Install from VSIX in VS Code or Cursor.
v0.3.0 — Selective encryption, get/set, and key rotation
Features
Selective encryption — Leave chosen variables readable in committed .env.enc files while sealing secrets.
dotseal encrypt --plain-key …/--plain-key-regex …and the same flags onedit- Plaintext policy is stored in the file footer (
plain_keys,plain_re) and preserved on re-encrypt/rotate - Docs updated in
USAGE.md,FILE_FORMAT.md, andKEY_MANAGEMENT.md
Get and set individual values — Read or update one variable without decrypting the whole file to disk.
dotseal get KEY(optional default when missing)dotseal set KEY VALUEget_value()/set_value()in the Python API;KeyNotFoundErrorfor missing keys
Key rotation — Re-encrypt existing files under new key material while preserving plaintext policy.
dotseal rotate --new-key-file …(symmetric) or--new-private-key-file …(asymmetric)rotate_text()/rotate_text_asymmetric()in the Python API
Improvements
- CodeQL analysis for Python and TypeScript
- Core helpers centralized (
write_secret_file,VALID_KEY_RE, upward key lookup,already_encrypted_keys) - Duplicate env keys:
getuses the last matching entry - Stricter validation for variable names and master key base64
KeyNotFoundErrornow inherits fromKeyError
Notes
- Selective encryption is for non-secrets only — plaintext values remain visible in git history.
- VS Code / Cursor extension: use
ext-v0.1.2or later for matching selective-encryption behavior when creating new encrypted files from the editor.
v0.2.1 — Idempotent re-encryption and safer key handling
Improvements
Idempotent re-encryption — dotseal edit and append-to-.env.enc workflows now preserve ciphertext for unchanged values, so git diffs show only what actually changed. If you save without edits, the file is left untouched.
reencrypt_text()/reencrypt_text_asymmetric()— new library API for the same behaviordotseal encryptstill skips values already encrypted with the same key; refuses outright if existing ciphertext was made with a different key or the file is asymmetric (decrypt with the old key first, then encrypt with the new one)
Safer key resolution
--key-file/--private-key-file— explicit key file paths; a requested file that does not exist is an error (never silently overridden by env vars)KeyManagementError— raised when key material does not match the file's recorded fingerprint
Parser & tooling
- Inline comments on env entries are preserved through encrypt/decrypt/re-encrypt cycles
.gitignoreauto-add respects negation (!) and simple globsdotseal edit— if re-encryption fails, offers to re-open the editor; otherwise keeps your edits in the0600temp file and prints its path
Notes
- Symmetric and asymmetric modes are unchanged aside from the safer encrypt/edit behavior above.
- Runtime dependency is now
cryptography>=42,<49(was pinned to48.0.1) to avoid version conflicts for library consumers. - README and
uv.lockare synced with the existing Python 3.9 minimum (required bycryptography48+). - VS Code / Cursor extension: use
ext-v0.1.1or later for matching edit/re-encrypt behavior. Compatibility is by on-disk file format (v=1/v=2), not package version alone.
VS Code Extension v0.1.2
Updates the dotseal extension to match the CLI/library selective-encryption and core improvements from v0.3.0.
Features
- Selective encryption on first save —
dotseal.plaintextKeysanddotseal.plaintextKeyRegexsettings apply when the virtual editor creates a new.env.enc; existing files keep the policy stored in their footer - Preserves selective-encryption policy through re-encrypt on save
- Python/TypeScript regex token encoding aligned (base64url with padding) so policies round-trip with the CLI
Improvements
rotateText()added to the extension core (parity with Python; no UI command yet)- Python-only regex patterns in an existing file footer are skipped safely (fail-closed: affected keys are re-encrypted rather than crashing the editor)
Installation
Download dotseal-vscode-0.1.2.vsix below and install via Extensions: Install from VSIX in VS Code or Cursor.
Notes
- Tested against dotseal CLI/library v0.3.0. Older extension releases work with the same encrypted file format (
v=1/v=2) but lack selective-encryption settings and cross-language regex interoperability. - Plaintext policy settings only affect new encrypted files; use the CLI to change policy on existing files.
VS Code Extension v0.1.1
Updates the dotseal extension to match the CLI/library re-encryption and parser improvements from v0.2.1.
Features
- Re-encrypts on save while preserving ciphertext for unchanged values (minimal
.env.encdiffs) - Inline comments on env entries are preserved through encrypt/decrypt cycles
dotseal.masterKeyis honored only from user settings (scope: application) — workspace settings are ignored so keys are not committed via.vscode/settings.json- Improved key resolution and decryption error handling, aligned with the Python implementation
Installation
Download dotseal-vscode-0.1.1.vsix below and install via Extensions: Install from VSIX in VS Code or Cursor.
Notes
- Tested against dotseal CLI/library v0.2.1. Older extension releases (e.g.
ext-v0.1.0) work with the same encrypted files (v=1/v=2) but lack idempotent re-encryption and inline-comment preservation on save.
v0.2.0 — Asymmetric (multi-recipient) encryption
New Features
Asymmetric encryption support — .env files can now be encrypted for one or more recipients using X25519 public-key cryptography. Each recipient holds their own private key; the shared data encryption key (DEK) is independently wrapped for every recipient.
dotseal keygen— generate a new X25519 recipient keypair (.dotseal.prv/ public key printed to stdout)dotseal encrypt --recipient <pubkey>— encrypt a file for one or more recipients (pass the flag multiple times)dotseal decrypt— decrypt using the private key (from.dotseal.prvorDOTSEAL_PRIVATE_KEYenv var)dotseal add-recipient— re-encrypt the DEK for a new recipient without re-encrypting the valuesdotseal rm-recipient— remove a recipient by fingerprint
New Python API
encrypt_text_asymmetric(text, recipient_public_keys)/decrypt_text_asymmetric(text, private_key)/decrypt_to_dict_asymmetric(text, private_key)generate_recipient_keypair()— returns(private_key_str, public_key_str)add_recipient_to_text()/remove_recipient_from_text()resolve_private_key(),public_key_str_from_private(),recipient_fingerprint()file_mode(text)— returns"symmetric"or"asymmetric"for a given encrypted file
New exceptions: PrivateKeyNotFoundError, InvalidRecipientKeyError, RecipientNotFoundError
Notes
- Symmetric encryption (master key) is unchanged and fully backward-compatible.
- The existing
DOTSEAL_MASTER_KEY/.dotseal.keyworkflow is unaffected. - Private keys are stored with
0o600permissions and auto-added to.gitignore.
VS Code Extension v0.1.0
Adds a VS Code / Cursor extension for editing encrypted .env.enc files as decrypted virtual documents.
Features
- Automatically opens
.env.encfiles through a decrypted virtual editor - Supports both symmetric and asymmetric (multi-recipient) dotseal files
- Configurable key file path via
dotseal.keyFilesetting Dotseal: Open Encrypted Envcommand for manual opening
Installation
Download dotseal-vscode-0.1.0.vsix below and install via Extensions: Install from VSIX in VS Code or Cursor.