Skip to content

v0.2.1 — Idempotent re-encryption and safer key handling

Choose a tag to compare

@Jastchi Jastchi released this 13 Jun 08:38

Improvements

Idempotent re-encryptiondotseal edit and append-to-.env.enc workflows now preserve ciphertext for unchanged values, so git diffs show only what actually changed. If you save without edits, the file is left untouched.

  • reencrypt_text() / reencrypt_text_asymmetric() — new library API for the same behavior
  • dotseal encrypt still skips values already encrypted with the same key; refuses outright if existing ciphertext was made with a different key or the file is asymmetric (decrypt with the old key first, then encrypt with the new one)

Safer key resolution

  • --key-file / --private-key-file — explicit key file paths; a requested file that does not exist is an error (never silently overridden by env vars)
  • KeyManagementError — raised when key material does not match the file's recorded fingerprint

Parser & tooling

  • Inline comments on env entries are preserved through encrypt/decrypt/re-encrypt cycles
  • .gitignore auto-add respects negation (!) and simple globs
  • dotseal edit — if re-encryption fails, offers to re-open the editor; otherwise keeps your edits in the 0600 temp file and prints its path

Notes

  • Symmetric and asymmetric modes are unchanged aside from the safer encrypt/edit behavior above.
  • Runtime dependency is now cryptography>=42,<49 (was pinned to 48.0.1) to avoid version conflicts for library consumers.
  • README and uv.lock are synced with the existing Python 3.9 minimum (required by cryptography 48+).
  • VS Code / Cursor extension: use ext-v0.1.1 or later for matching edit/re-encrypt behavior. Compatibility is by on-disk file format (v=1 / v=2), not package version alone.