Skip to main content

Git-friendly encrypted .env files with cleartext keys and sealed values (SOPS-inspired structural encryption).

Project description

dotseal

Tests Lint CodeQL codecov PyPI Python 3.9+ License: MIT

Git-friendly encrypted .env files with cleartext keys and sealed values.

dotseal encrypts only variable values, so you can safely commit .env.enc, review diffs, and keep secrets out of git history.

  DATABASE_URL=ENC[AES_GCM,data:Zm9vYmFy...]
- DEBUG=ENC[AES_GCM,data:TXVzaWM=]
+ DEBUG=ENC[AES_GCM,data:b3RoZXI=]
  API_KEY=ENC[AES_GCM,data:c2VjcmV0...]

Installation

pip install dotseal

Requires Python 3.9+. Using uv? uv add dotseal.

Quickstart

# 1) Generate a local key (saved to .dotseal.key and gitignored)
dotseal init

# 2) Encrypt .env -> .env.enc (commit .env.enc only)
dotseal encrypt

# 3) Decrypt when needed
dotseal decrypt

Runtime load (no cleartext file required):

from dotseal import load_env

load_env()  # reads .env.enc and injects decrypted values into os.environ

Not sure which mode to use?

  • Solo or small trusted setup: start with symmetric mode (dotseal init + dotseal encrypt).
  • Team sharing without distributing one shared secret: use asymmetric mode.
  • If you are unsure, start symmetric and switch later when sharing/revocation needs grow.
  • Details: Asymmetric mode, Key management.

What gets committed?

File Commit it? Why
.env.enc Yes Encrypted values with reviewable keys
.env No Cleartext secrets
.dotseal.key Never Symmetric master key
.dotseal.prv Never Asymmetric private key
dsk-pub-... Yes Asymmetric public keys are safe to share

Documentation

Use the docs as the source of truth for all details:

Security

  • AES-256-GCM authenticated encryption with per-value nonces.
  • Variable names are bound as AAD, so ciphertext cannot be swapped across keys.
  • Integrity is per value (review .env.enc changes like code changes).
  • Selective encryption (--plain-key, --plain-key-regex) leaves chosen values readable in the committed file and in git history; use only for non-secrets.

Report vulnerabilities privately via SECURITY.md.

Contributing

See CONTRIBUTING.md.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dotseal-0.3.0.tar.gz (722.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dotseal-0.3.0-py3-none-any.whl (31.5 kB view details)

Uploaded Python 3

File details

Details for the file dotseal-0.3.0.tar.gz.

File metadata

  • Download URL: dotseal-0.3.0.tar.gz
  • Upload date:
  • Size: 722.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dotseal-0.3.0.tar.gz
Algorithm Hash digest
SHA256 1dfb6019cbcfdfcdff13f8178d2cda72b5645c7f5070a84f37ecb5c1919c260a
MD5 1c057cce14167076e1a0b9cdac5dc0a2
BLAKE2b-256 861edd31699dcc0dc11755fcacffce3aea330eba56df7de22d906d92bb8d0474

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotseal-0.3.0.tar.gz:

Publisher: publish.yml on Jastchi/dotseal

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotseal-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: dotseal-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 31.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dotseal-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 dd0302742955ca957b04bb9f87dbe8791a2c63d6f0000116d84353c2b0e944e8
MD5 57d266fda475bb814fd0014bfc390d10
BLAKE2b-256 4aaf7bedd042bb4a76403ad6feefa3b8a91b6e372e8e536d2b44614fa3f56e9c

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotseal-0.3.0-py3-none-any.whl:

Publisher: publish.yml on Jastchi/dotseal

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page