Git-friendly encrypted .env files with cleartext keys and sealed values (SOPS-inspired structural encryption).
Project description
dotseal
Git-friendly encrypted .env files with cleartext keys and sealed values.
DEBUG=false
- API_KEY=ENC[AES_GCM,data:c2VjcmV0...]
+ API_KEY=ENC[AES_GCM,data:b3RoZXI=]
DATABASE_URL=ENC[AES_GCM,data:Zm9vYmFy...]
DEBUG is left unencrypted using --plain-key — safe for non-sensitive values.
Installation
pip install dotseal # or: uv add dotseal
Requires Python 3.9+.
Quickstart
# 1) Generate a local key (saved to .dotseal.key and gitignored)
dotseal init
# 2) Encrypt .env -> .env.enc (commit .env.enc only)
dotseal encrypt
# 3) Decrypt when needed
dotseal decrypt
Runtime load (no cleartext file required):
from dotseal import load_env
load_env() # reads .env.enc and injects decrypted values into os.environ
What gets committed?
| File | Commit it? | Why |
|---|---|---|
.env.enc |
Yes | Encrypted values with reviewable keys |
.env |
No | Cleartext secrets |
.dotseal.key |
Never | Symmetric master key |
.dotseal.prv |
Never | Asymmetric private key |
dsk-pub-... |
Yes | Asymmetric public keys are safe to share |
Documentation
Use the docs as the source of truth for all details:
- Documentation index
- Usage and CLI
- Key management and rotation
- Asymmetric mode — not sure which mode to use? Start symmetric; switch when you need team sharing or revocation.
- CI/CD
- On-disk file format
- Editor integration
Security
- Selective encryption (
--plain-key,--plain-key-regex) leaves chosen values in cleartext in.env.encand git history; use only for non-secrets. - AES-256-GCM authenticated encryption with per-value nonces.
- Variable names are bound as AAD, so ciphertext cannot be swapped across keys.
- Integrity is per value — review
.env.encchanges like code changes.
Report vulnerabilities privately via SECURITY.md.
Contributing
See CONTRIBUTING.md.
License
MIT
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dotseal-0.3.1.tar.gz.
File metadata
- Download URL: dotseal-0.3.1.tar.gz
- Upload date:
- Size: 743.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c7b9db984548452095a6572945bba43a11cd3759cba513514fc53b4a748d6f8f
|
|
| MD5 |
7807a489bde23772aa2e031b72c6a33e
|
|
| BLAKE2b-256 |
e96b82c576656a82991deb0739fd1a216f42713f543b5458b2abd38f061f62b3
|
Provenance
The following attestation bundles were made for dotseal-0.3.1.tar.gz:
Publisher:
publish.yml on Jastchi/dotseal
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dotseal-0.3.1.tar.gz -
Subject digest:
c7b9db984548452095a6572945bba43a11cd3759cba513514fc53b4a748d6f8f - Sigstore transparency entry: 2008464477
- Sigstore integration time:
-
Permalink:
Jastchi/dotseal@7917b54414292b3ef1cbd84364a835ed13fc380c -
Branch / Tag:
refs/tags/v0.3.1 - Owner: https://github.com/Jastchi
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@7917b54414292b3ef1cbd84364a835ed13fc380c -
Trigger Event:
release
-
Statement type:
File details
Details for the file dotseal-0.3.1-py3-none-any.whl.
File metadata
- Download URL: dotseal-0.3.1-py3-none-any.whl
- Upload date:
- Size: 31.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9bd17c274c16480c878ea8cf3071ffd76f947156151aac2a00966c3c3d2d74c4
|
|
| MD5 |
23f0c99455e6662d9ac50703c7c6efc9
|
|
| BLAKE2b-256 |
f4a549e85d94fed938de3816b8364f22714f6f462ff8bc7989927a99a4bec09f
|
Provenance
The following attestation bundles were made for dotseal-0.3.1-py3-none-any.whl:
Publisher:
publish.yml on Jastchi/dotseal
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dotseal-0.3.1-py3-none-any.whl -
Subject digest:
9bd17c274c16480c878ea8cf3071ffd76f947156151aac2a00966c3c3d2d74c4 - Sigstore transparency entry: 2008464643
- Sigstore integration time:
-
Permalink:
Jastchi/dotseal@7917b54414292b3ef1cbd84364a835ed13fc380c -
Branch / Tag:
refs/tags/v0.3.1 - Owner: https://github.com/Jastchi
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@7917b54414292b3ef1cbd84364a835ed13fc380c -
Trigger Event:
release
-
Statement type: