cargo-sealed 0.1.0

CLI for storing encrypted environment variables in .env files
cargo-sealed-0.1.0 is not a library.

cargo-sealed (CLI)

Small CLI for storing encrypted environment variables directly in .env files. Only values are encrypted, so files remain diffable and Git-friendly. One key per project, no interactive prompts, safe defaults, and Unix-friendly behavior.

Install

cargo install cargo-sealed
sealed --help

How it works

  • Encrypts with ChaCha20-Poly1305.
  • Uses the variable name as AAD.
  • Stores values as: ENCv1:<base64(nonce)>:<base64(ciphertext)>

Commands

sealed set <VAR_NAME>
sealed get <VAR_NAME>
sealed keygen

Examples Generate a key

sealed keygen
sealed keygen -o .sealed.key

Set a value from stdin

echo -n "supersecret" | sealed set DATABASE_PASSWORD -s -k "<base64-key>"

Set a value from a file

sealed set DATABASE_PASSWORD -f ./secret.txt -k "<base64-key>"

Set a value using key from env

export SEALED_KEY="<base64-key>"
echo -n "supersecret" | sealed set DATABASE_PASSWORD -s

Read a value

sealed get DATABASE_PASSWORD

Reveal plaintext (requires key)

sealed get DATABASE_PASSWORD -r -k "<base64-key>"

Env file format example

DATABASE_PASSWORD=ENCv1:2s8fK0cPpFJ6x2xZ1C9kLw==:mKJrY0GmZCq7cN5h4F2...

Notes

  • If a value is not encrypted, sealed get prints it as-is.
  • Stdin can be used only once; --stdin and --key-stdin cannot be combined.
  • For --value, pass --allow-argv explicitly.

Exit codes

  • 0: success
  • 1: variable not found
  • 2: decryption or key error
  • 3: invalid arguments
  • 4: env file error