v0.2.0 — Asymmetric (multi-recipient) encryption
New Features
Asymmetric encryption support — .env files can now be encrypted for one or more recipients using X25519 public-key cryptography. Each recipient holds their own private key; the shared data encryption key (DEK) is independently wrapped for every recipient.
dotseal keygen— generate a new X25519 recipient keypair (.dotseal.prv/ public key printed to stdout)dotseal encrypt --recipient <pubkey>— encrypt a file for one or more recipients (pass the flag multiple times)dotseal decrypt— decrypt using the private key (from.dotseal.prvorDOTSEAL_PRIVATE_KEYenv var)dotseal add-recipient— re-encrypt the DEK for a new recipient without re-encrypting the valuesdotseal rm-recipient— remove a recipient by fingerprint
New Python API
encrypt_text_asymmetric(text, recipient_public_keys)/decrypt_text_asymmetric(text, private_key)/decrypt_to_dict_asymmetric(text, private_key)generate_recipient_keypair()— returns(private_key_str, public_key_str)add_recipient_to_text()/remove_recipient_from_text()resolve_private_key(),public_key_str_from_private(),recipient_fingerprint()file_mode(text)— returns"symmetric"or"asymmetric"for a given encrypted file
New exceptions: PrivateKeyNotFoundError, InvalidRecipientKeyError, RecipientNotFoundError
Notes
- Symmetric encryption (master key) is unchanged and fully backward-compatible.
- The existing
DOTSEAL_MASTER_KEY/.dotseal.keyworkflow is unaffected. - Private keys are stored with
0o600permissions and auto-added to.gitignore.