Skip to content

v0.3.0 — Selective encryption, get/set, and key rotation

Choose a tag to compare

@Jastchi Jastchi released this 13 Jun 11:11
4c6b590

Features

Selective encryption — Leave chosen variables readable in committed .env.enc files while sealing secrets.

  • dotseal encrypt --plain-key … / --plain-key-regex … and the same flags on edit
  • Plaintext policy is stored in the file footer (plain_keys, plain_re) and preserved on re-encrypt/rotate
  • Docs updated in USAGE.md, FILE_FORMAT.md, and KEY_MANAGEMENT.md

Get and set individual values — Read or update one variable without decrypting the whole file to disk.

  • dotseal get KEY (optional default when missing)
  • dotseal set KEY VALUE
  • get_value() / set_value() in the Python API; KeyNotFoundError for missing keys

Key rotation — Re-encrypt existing files under new key material while preserving plaintext policy.

  • dotseal rotate --new-key-file … (symmetric) or --new-private-key-file … (asymmetric)
  • rotate_text() / rotate_text_asymmetric() in the Python API

Improvements

  • CodeQL analysis for Python and TypeScript
  • Core helpers centralized (write_secret_file, VALID_KEY_RE, upward key lookup, already_encrypted_keys)
  • Duplicate env keys: get uses the last matching entry
  • Stricter validation for variable names and master key base64
  • KeyNotFoundError now inherits from KeyError

Notes

  • Selective encryption is for non-secrets only — plaintext values remain visible in git history.
  • VS Code / Cursor extension: use ext-v0.1.2 or later for matching selective-encryption behavior when creating new encrypted files from the editor.