Metadata-Version: 2.4
Name: envlock
Version: 1.0.0
Summary: A secure CLI tool for encrypting, decrypting, shredding, and rotating secrets files using strong symmetric encryption.
Author-email: Nikhil John <me@nikz.in>
License-Expression: MIT
Project-URL: Homepage, https://github.com/nikhiljohn10/envlock
Project-URL: Issues, https://github.com/nikhiljohn10/envlock/issues
Keywords: encryption,secrets,cli,security,cryptography,locker,vault,file,python
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Operating System :: OS Independent
Classifier: Intended Audience :: Developers
Classifier: Environment :: Console
Classifier: Topic :: Security :: Cryptography
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Requires-Python: >=3.11
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: click>=8.2.1
Requires-Dist: cryptography>=45.0.4
Provides-Extra: test
Requires-Dist: pytest>=8.4.1; extra == "test"
Requires-Dist: pytest-cov>=5.0.0; extra == "test"
Dynamic: license-file

# ENVLock

[![PyPI version](https://img.shields.io/pypi/v/envlock.svg)](https://pypi.org/project/envlock/)
[![Python versions](https://img.shields.io/pypi/pyversions/envlock.svg)](https://pypi.org/project/envlock/)
[![codecov](https://codecov.io/gh/nikhiljohn10/envlock/branch/main/graph/badge.svg)](https://codecov.io/gh/nikhiljohn10/envlock)
[![License](https://img.shields.io/github/license/nikhiljohn10/envlock.svg)](https://github.com/nikhiljohn10/envlock/blob/main/LICENSE)
[![Build Status](https://github.com/nikhiljohn10/envlock/actions/workflows/publish.yml/badge.svg)](https://github.com/nikhiljohn10/envlock/actions/workflows/publish.yml)
[![Snyk Vulnerabilities](https://snyk.io/test/github/nikhiljohn10/envlock/badge.svg)](https://snyk.io/test/github/nikhiljohn10/envlock)


A secure CLI tool for encrypting, decrypting, shredding, and rotating secrets files (e.g., `.env`) using strong symmetric encryption (Fernet/AES).

## Features
- Encrypt (`lock`) and decrypt (`unlock`) files with a 256-bit key
- Key can be provided as hex, base64, or via the `ENVLOCK_ENCRYPTION_KEY` environment variable
- Secure file shredding (overwriting and deleting original file)
- Key rotation (`renew`) for re-encrypting with a new key
- Short and long CLI options for all commands

## Installation

Requires Python 3.8+ and the `cryptography` and `click` packages:

```sh
pip install cryptography click
```

## Usage

### Lock a file (encrypt)

```sh
envlock lock [-f FILE] [-k KEY] [-h] [-s]
```
- `-f, --file`   : File to lock (default: `.env`)
- `-k, --key`    : Encryption key (hex or base64). If omitted, uses `ENVLOCK_ENCRYPTION_KEY` or generates a new key.
- `-h, --hide-key` : Hide generated key output (default: show)
- `-s, --shred`  : Securely delete original file after locking

**Example:**
```sh
envlock lock -f .env -s
```

### Unlock a file (decrypt)

```sh
envlock unlock [-f FILE] -k KEY
```
- `-f, --file`   : File to unlock (default: `.env.locked`)
- `-k, --key`    : Encryption key (hex or base64, required)

**Example:**
```sh
envlock unlock -f .env.locked -k <key>
```

### Renew (rotate) encryption key

```sh
envlock renew [-f FILE] --old-key OLDKEY [--new-key NEWKEY] [-h]
```
- `-f, --file`   : File to renew (default: `.env.locked`)
- `--old-key`    : Current encryption key (hex or base64, required)
- `--new-key`    : New encryption key (hex or base64, optional; if omitted, a new key is generated)
- `-h, --hide-key` : Hide generated new key output (default: show)

**Example:**
```sh
envlock renew --old-key <oldkey>
```

## Key Management
- Keys are 32 bytes (64 hex chars or 32 bytes base64)
- Store keys securely (never in your repo)
- You can use the `ENVLOCK_ENCRYPTION_KEY` environment variable for automation

## Security Notes
- The encrypted file can be public; only the key must remain secret
- Never print or log the key in CI/CD logs
- Use secure deletion (`--shred`) for sensitive files
- Rotate keys regularly and after any suspected compromise

## Shell Completion

`envlock` supports shell completion for bash, zsh, and fish. To enable it, run:

```sh
eval "$(_ENVLOCK_COMPLETE=source_bash envlock)"  # for bash
eval "$(_ENVLOCK_COMPLETE=source_zsh envlock)"   # for zsh
eval "$(_ENVLOCK_COMPLETE=source_fish envlock)"  # for fish
```

Add the appropriate line to your shell profile to enable completion permanently.

## Alternative Installation Methods

### macOS/Linux
You can create a Homebrew formula for `envlock` or use pipx:

```sh
pipx install envlock
```

### Windows
Install with pip or pipx:

```sh
pip install envlock
# or
pipx install envlock
```

## Troubleshooting

- **Upload to PyPI/TestPyPI fails with 400 Bad Request:**
  - Ensure your version is unique and not already uploaded.
  - Check your `pyproject.toml` for required fields.
  - Delete the `dist/` directory before building.
- **Key errors:**
  - Make sure your key is 32 bytes (64 hex chars or 32 bytes base64).
  - If using ENVLOCK_ENCRYPTION_KEY, ensure it is set in your environment.
- **Permission errors:**
  - Run the CLI with appropriate permissions for file access.

## FAQ

**Q: Can I use envlock for files other than .env?**
A: Yes, you can lock/unlock any file by specifying the `-f` option.

**Q: Is the encrypted file safe to store in version control?**
A: Yes, as long as you keep the key secret.

**Q: How do I rotate my encryption key?**
A: Use the `renew` command with `--old-key` and optionally `--new-key`.

**Q: How do I securely delete the original file?**
A: Use the `--shred` option with the `lock` command.

## License
MIT
