Encrypt files at rest. AES-256-GCM encryption with Argon2 key derivation.
cargo install --path .seal encrypt # encrypt all files in current directory
seal decrypt # decrypt all files
seal status # show encryption state| Command | Alias | Description |
|---|---|---|
encrypt [PATH] [PATTERNS] |
e |
Encrypt files |
decrypt [PATH] [FILES] |
d |
Decrypt files |
exec [PATTERNS] -- CMD |
x |
Run command with decrypted files |
status [PATH] |
st |
Show encryption state |
list [PATH] |
ls |
List encrypted files |
verify [PATH] |
Check password without decrypting | |
rekey [PATH] |
Change encryption password | |
reset [PATH] |
Remove encryption (requires -f) |
# Encrypt specific files
seal encrypt "*.pdf" "*.docx"
# Decrypt specific file
seal decrypt secrets.txt
# Run command on encrypted files
seal exec "*.csv" -- head -n 10
# Check password
seal verify
# Change password
seal rekey-p, --password Provide password (visible in history)
--dry-run Show what would happen
--keep Keep originals after encrypt
-f, --force Force operation
-q, --quiet Minimal output
-v, --verbose Detailed output
Checked in order:
-p/--passwordflagSEAL_PASSWORDenvironment variable.seal/passwordfile- Interactive prompt
| File | Purpose |
|---|---|
.sealignore |
Patterns to exclude from encryption |
.seal/password |
Password file (auto-gitignored) |
.seal/meta |
Encrypted file mapping |
- Files encrypted with AES-256-GCM, keys derived via Argon2
- Encrypted files get random 6-char names with
.sealedextension - Files scattered across random directories with decoy files
- Large files (>10MB) use streaming encryption (1MB chunks)
- Original directory structure restored on decrypt
- Password never stored, only salt
- Each file/chunk gets unique nonce
- Decoys hide file count
- Random names hide original filenames
MIT