Skip to main content

Git-friendly encrypted .env files with cleartext keys and sealed values (SOPS-inspired structural encryption).

Project description

dotseal

Tests Lint CodeQL codecov PyPI Python 3.9+ License: MIT

Git-friendly encrypted .env files with cleartext keys and sealed values.

  DEBUG=false
- API_KEY=ENC[AES_GCM,data:c2VjcmV0...]
+ API_KEY=ENC[AES_GCM,data:b3RoZXI=]
  DATABASE_URL=ENC[AES_GCM,data:Zm9vYmFy...]

DEBUG is left unencrypted using --plain-key — safe for non-sensitive values.

Installation

pip install dotseal  # or: uv add dotseal

Requires Python 3.9+.

Quickstart

# 1) Generate a local key (saved to .dotseal.key and gitignored)
dotseal init

# 2) Encrypt .env -> .env.enc (commit .env.enc only)
dotseal encrypt

# 3) Decrypt when needed
dotseal decrypt

Runtime load (no cleartext file required):

from dotseal import load_env

load_env()  # reads .env.enc and injects decrypted values into os.environ

What gets committed?

File Commit it? Why
.env.enc Yes Encrypted values with reviewable keys
.env No Cleartext secrets
.dotseal.key Never Symmetric master key
.dotseal.prv Never Asymmetric private key
dsk-pub-... Yes Asymmetric public keys are safe to share

Documentation

Use the docs as the source of truth for all details:

Security

  • Selective encryption (--plain-key, --plain-key-regex) leaves chosen values in cleartext in .env.enc and git history; use only for non-secrets.
  • AES-256-GCM authenticated encryption with per-value nonces.
  • Variable names are bound as AAD, so ciphertext cannot be swapped across keys.
  • Integrity is per value — review .env.enc changes like code changes.

Report vulnerabilities privately via SECURITY.md.

Contributing

See CONTRIBUTING.md.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dotseal-0.3.1.tar.gz (743.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dotseal-0.3.1-py3-none-any.whl (31.3 kB view details)

Uploaded Python 3

File details

Details for the file dotseal-0.3.1.tar.gz.

File metadata

  • Download URL: dotseal-0.3.1.tar.gz
  • Upload date:
  • Size: 743.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for dotseal-0.3.1.tar.gz
Algorithm Hash digest
SHA256 c7b9db984548452095a6572945bba43a11cd3759cba513514fc53b4a748d6f8f
MD5 7807a489bde23772aa2e031b72c6a33e
BLAKE2b-256 e96b82c576656a82991deb0739fd1a216f42713f543b5458b2abd38f061f62b3

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotseal-0.3.1.tar.gz:

Publisher: publish.yml on Jastchi/dotseal

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotseal-0.3.1-py3-none-any.whl.

File metadata

  • Download URL: dotseal-0.3.1-py3-none-any.whl
  • Upload date:
  • Size: 31.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for dotseal-0.3.1-py3-none-any.whl
Algorithm Hash digest
SHA256 9bd17c274c16480c878ea8cf3071ffd76f947156151aac2a00966c3c3d2d74c4
MD5 23f0c99455e6662d9ac50703c7c6efc9
BLAKE2b-256 f4a549e85d94fed938de3816b8364f22714f6f462ff8bc7989927a99a4bec09f

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotseal-0.3.1-py3-none-any.whl:

Publisher: publish.yml on Jastchi/dotseal

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page