Skip to content

v0.2.0 — Asymmetric (multi-recipient) encryption

Choose a tag to compare

@Jastchi Jastchi released this 11 Jun 21:20

New Features

Asymmetric encryption support.env files can now be encrypted for one or more recipients using X25519 public-key cryptography. Each recipient holds their own private key; the shared data encryption key (DEK) is independently wrapped for every recipient.

  • dotseal keygen — generate a new X25519 recipient keypair (.dotseal.prv / public key printed to stdout)
  • dotseal encrypt --recipient <pubkey> — encrypt a file for one or more recipients (pass the flag multiple times)
  • dotseal decrypt — decrypt using the private key (from .dotseal.prv or DOTSEAL_PRIVATE_KEY env var)
  • dotseal add-recipient — re-encrypt the DEK for a new recipient without re-encrypting the values
  • dotseal rm-recipient — remove a recipient by fingerprint

New Python API

  • encrypt_text_asymmetric(text, recipient_public_keys) / decrypt_text_asymmetric(text, private_key) / decrypt_to_dict_asymmetric(text, private_key)
  • generate_recipient_keypair() — returns (private_key_str, public_key_str)
  • add_recipient_to_text() / remove_recipient_from_text()
  • resolve_private_key(), public_key_str_from_private(), recipient_fingerprint()
  • file_mode(text) — returns "symmetric" or "asymmetric" for a given encrypted file

New exceptions: PrivateKeyNotFoundError, InvalidRecipientKeyError, RecipientNotFoundError

Notes

  • Symmetric encryption (master key) is unchanged and fully backward-compatible.
  • The existing DOTSEAL_MASTER_KEY / .dotseal.key workflow is unaffected.
  • Private keys are stored with 0o600 permissions and auto-added to .gitignore.