Skip to content

Releases: Jastchi/dotseal

v0.3.1 — Maintenance release

Choose a tag to compare

@Jastchi Jastchi released this 29 Jun 11:52
7917b54

Maintenance

  • Removed upper version cap on cryptography to allow v49 and later

VS Code Extension v0.1.3

Choose a tag to compare

@Jastchi Jastchi released this 14 Jun 13:58

Adds an icon to the dotseal extension.

Changes

  • Extension icon: dotseal now has an icon displayed in the VS Code Extensions panel.

Installation

Download dotseal-vscode-0.1.3.vsix below and install via Extensions: Install from VSIX in VS Code or Cursor.

v0.3.0 — Selective encryption, get/set, and key rotation

Choose a tag to compare

@Jastchi Jastchi released this 13 Jun 11:11
4c6b590

Features

Selective encryption — Leave chosen variables readable in committed .env.enc files while sealing secrets.

  • dotseal encrypt --plain-key … / --plain-key-regex … and the same flags on edit
  • Plaintext policy is stored in the file footer (plain_keys, plain_re) and preserved on re-encrypt/rotate
  • Docs updated in USAGE.md, FILE_FORMAT.md, and KEY_MANAGEMENT.md

Get and set individual values — Read or update one variable without decrypting the whole file to disk.

  • dotseal get KEY (optional default when missing)
  • dotseal set KEY VALUE
  • get_value() / set_value() in the Python API; KeyNotFoundError for missing keys

Key rotation — Re-encrypt existing files under new key material while preserving plaintext policy.

  • dotseal rotate --new-key-file … (symmetric) or --new-private-key-file … (asymmetric)
  • rotate_text() / rotate_text_asymmetric() in the Python API

Improvements

  • CodeQL analysis for Python and TypeScript
  • Core helpers centralized (write_secret_file, VALID_KEY_RE, upward key lookup, already_encrypted_keys)
  • Duplicate env keys: get uses the last matching entry
  • Stricter validation for variable names and master key base64
  • KeyNotFoundError now inherits from KeyError

Notes

  • Selective encryption is for non-secrets only — plaintext values remain visible in git history.
  • VS Code / Cursor extension: use ext-v0.1.2 or later for matching selective-encryption behavior when creating new encrypted files from the editor.

v0.2.1 — Idempotent re-encryption and safer key handling

Choose a tag to compare

@Jastchi Jastchi released this 13 Jun 08:38

Improvements

Idempotent re-encryptiondotseal edit and append-to-.env.enc workflows now preserve ciphertext for unchanged values, so git diffs show only what actually changed. If you save without edits, the file is left untouched.

  • reencrypt_text() / reencrypt_text_asymmetric() — new library API for the same behavior
  • dotseal encrypt still skips values already encrypted with the same key; refuses outright if existing ciphertext was made with a different key or the file is asymmetric (decrypt with the old key first, then encrypt with the new one)

Safer key resolution

  • --key-file / --private-key-file — explicit key file paths; a requested file that does not exist is an error (never silently overridden by env vars)
  • KeyManagementError — raised when key material does not match the file's recorded fingerprint

Parser & tooling

  • Inline comments on env entries are preserved through encrypt/decrypt/re-encrypt cycles
  • .gitignore auto-add respects negation (!) and simple globs
  • dotseal edit — if re-encryption fails, offers to re-open the editor; otherwise keeps your edits in the 0600 temp file and prints its path

Notes

  • Symmetric and asymmetric modes are unchanged aside from the safer encrypt/edit behavior above.
  • Runtime dependency is now cryptography>=42,<49 (was pinned to 48.0.1) to avoid version conflicts for library consumers.
  • README and uv.lock are synced with the existing Python 3.9 minimum (required by cryptography 48+).
  • VS Code / Cursor extension: use ext-v0.1.1 or later for matching edit/re-encrypt behavior. Compatibility is by on-disk file format (v=1 / v=2), not package version alone.

VS Code Extension v0.1.2

Choose a tag to compare

@Jastchi Jastchi released this 13 Jun 11:13

Updates the dotseal extension to match the CLI/library selective-encryption and core improvements from v0.3.0.

Features

  • Selective encryption on first savedotseal.plaintextKeys and dotseal.plaintextKeyRegex settings apply when the virtual editor creates a new .env.enc; existing files keep the policy stored in their footer
  • Preserves selective-encryption policy through re-encrypt on save
  • Python/TypeScript regex token encoding aligned (base64url with padding) so policies round-trip with the CLI

Improvements

  • rotateText() added to the extension core (parity with Python; no UI command yet)
  • Python-only regex patterns in an existing file footer are skipped safely (fail-closed: affected keys are re-encrypted rather than crashing the editor)

Installation

Download dotseal-vscode-0.1.2.vsix below and install via Extensions: Install from VSIX in VS Code or Cursor.

Notes

  • Tested against dotseal CLI/library v0.3.0. Older extension releases work with the same encrypted file format (v=1 / v=2) but lack selective-encryption settings and cross-language regex interoperability.
  • Plaintext policy settings only affect new encrypted files; use the CLI to change policy on existing files.

VS Code Extension v0.1.1

Choose a tag to compare

@Jastchi Jastchi released this 13 Jun 08:40

Updates the dotseal extension to match the CLI/library re-encryption and parser improvements from v0.2.1.

Features

  • Re-encrypts on save while preserving ciphertext for unchanged values (minimal .env.enc diffs)
  • Inline comments on env entries are preserved through encrypt/decrypt cycles
  • dotseal.masterKey is honored only from user settings (scope: application) — workspace settings are ignored so keys are not committed via .vscode/settings.json
  • Improved key resolution and decryption error handling, aligned with the Python implementation

Installation

Download dotseal-vscode-0.1.1.vsix below and install via Extensions: Install from VSIX in VS Code or Cursor.

Notes

  • Tested against dotseal CLI/library v0.2.1. Older extension releases (e.g. ext-v0.1.0) work with the same encrypted files (v=1 / v=2) but lack idempotent re-encryption and inline-comment preservation on save.

v0.2.0 — Asymmetric (multi-recipient) encryption

Choose a tag to compare

@Jastchi Jastchi released this 11 Jun 21:20

New Features

Asymmetric encryption support.env files can now be encrypted for one or more recipients using X25519 public-key cryptography. Each recipient holds their own private key; the shared data encryption key (DEK) is independently wrapped for every recipient.

  • dotseal keygen — generate a new X25519 recipient keypair (.dotseal.prv / public key printed to stdout)
  • dotseal encrypt --recipient <pubkey> — encrypt a file for one or more recipients (pass the flag multiple times)
  • dotseal decrypt — decrypt using the private key (from .dotseal.prv or DOTSEAL_PRIVATE_KEY env var)
  • dotseal add-recipient — re-encrypt the DEK for a new recipient without re-encrypting the values
  • dotseal rm-recipient — remove a recipient by fingerprint

New Python API

  • encrypt_text_asymmetric(text, recipient_public_keys) / decrypt_text_asymmetric(text, private_key) / decrypt_to_dict_asymmetric(text, private_key)
  • generate_recipient_keypair() — returns (private_key_str, public_key_str)
  • add_recipient_to_text() / remove_recipient_from_text()
  • resolve_private_key(), public_key_str_from_private(), recipient_fingerprint()
  • file_mode(text) — returns "symmetric" or "asymmetric" for a given encrypted file

New exceptions: PrivateKeyNotFoundError, InvalidRecipientKeyError, RecipientNotFoundError

Notes

  • Symmetric encryption (master key) is unchanged and fully backward-compatible.
  • The existing DOTSEAL_MASTER_KEY / .dotseal.key workflow is unaffected.
  • Private keys are stored with 0o600 permissions and auto-added to .gitignore.

VS Code Extension v0.1.0

Choose a tag to compare

@Jastchi Jastchi released this 11 Jun 21:06

Adds a VS Code / Cursor extension for editing encrypted .env.enc files as decrypted virtual documents.

Features

  • Automatically opens .env.enc files through a decrypted virtual editor
  • Supports both symmetric and asymmetric (multi-recipient) dotseal files
  • Configurable key file path via dotseal.keyFile setting
  • Dotseal: Open Encrypted Env command for manual opening

Installation

Download dotseal-vscode-0.1.0.vsix below and install via Extensions: Install from VSIX in VS Code or Cursor.