Deneblab.StashLock.Cli 0.2.86

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details. 
dotnet tool install --global Deneblab.StashLock.Cli --version 0.2.86
This package contains a .NET tool you can call from the shell/command line. 
dotnet new tool-manifest
                    


                            if you are setting up this repo
                        

                    

                
dotnet tool install --local Deneblab.StashLock.Cli --version 0.2.86
This package contains a .NET tool you can call from the shell/command line. 
#tool dotnet:?package=Deneblab.StashLock.Cli&version=0.2.86
                    


                    

                
nuke :add-package Deneblab.StashLock.Cli --version 0.2.86

Deneblab.StashLock.Cli

Command-line interface for StashLock secrets management vault. Uses X25519 ECIES (Elliptic Curve Integrated Encryption Scheme) with AES-256-GCM for keypair-based secrets encryption.

Installation

dotnet tool install -g Deneblab.StashLock.Cli

Usage

1. Initialize a vault directory

stashlock init ./my-vault -tags production,develop

Creates a stashlock.config.json with the specified environment tags and auto-generates key files for each tag.

2. Generate key pairs

stashlock keygen ./my-vault

Generates X25519 key pairs (stashlock.key.{tag}.json) for each tag defined in the config. Skips existing key files.

3. Encrypt secrets

stashlock encode ./my-vault/secrets.json

Reads a plaintext JSON secrets file, encrypts it with each tag's public key using sealed box encryption, and outputs encrypted files (stashlock.enc.{tag}.secrets.json).

Two encryption modes are supported:

  • SOPS mode (default) — field-level encryption with MAC verification
  • Whole-file mode — encrypts entire JSON as a single blob

4. Decrypt secrets

stashlock decode ./my-vault/stashlock.enc.production.secrets.json

Decrypts an encrypted stashlock.enc.*.json file back to plaintext JSON. Auto-detects encryption mode and key file.

Options:

  • -key <path> — Specify key file path (auto-detected if omitted)
  • -output <path> — Write to file instead of stdout

5. Publish to vault server

stashlock publish ./my-vault/stashlock.enc.production.secrets.json

Uploads encrypted stashlock.enc.*.json files to the StashLock vault API. Extracts the vault key from the file metadata and POSTs the content to the server.

Accepts a single file or a directory (publishes all stashlock.enc.*.json files found).

# Publish all encrypted files in a directory
stashlock publish ./my-vault

# Publish with explicit API URL and key
stashlock publish ./my-vault --url https://my-vault.example.com/api --api-key my-secret-key

# Publish with TTL (auto-expires after 3600 seconds)
stashlock publish ./my-vault/stashlock.enc.production.secrets.json --expires-in 3600

Options:

  • --url <url> — API base URL (falls back to STASHLOCK_API_URL env var, then default)
  • --api-key <key> — API authentication key (falls back to STASHLOCK_API_KEY env var)
  • --expires-in <seconds> — TTL in seconds for the published secret

Commands

Command Description
stashlock init <dir> [-tags <tags>] Initialize a vault directory with config and tags
stashlock keygen <dir> Generate X25519 key pairs for each configured tag
stashlock encode <file> Encrypt a secrets file for all configured tags
stashlock decode <file> [-key <path>] [-output <path>] Decrypt a secrets file
stashlock publish <path> [--url <url>] [--api-key <key>] [--expires-in <sec>] Publish encrypted files to vault server

Workflow

init  -->  keygen  -->  encode  -->  publish  -->  decode
 |           |            |           |             |
 v           v            v           v             v
config     keypairs    encrypted   uploaded      plaintext
 file       files       files     to server       output

Encryption Details

  • Key Agreement: X25519 ECIES (Elliptic Curve Integrated Encryption Scheme)
  • Key Derivation: HKDF-SHA256
  • Symmetric Encryption: AES-256-GCM
  • Key Size: 32 bytes (X25519 public/private keys)
  • Nonce: 12 bytes (random per encryption)
  • Auth Tag: 16 bytes
  • Output format: ephemeral public key (32B) || nonce (12B) || ciphertext || tag (16B)

Environment Variables

Variable Purpose
STASHLOCK_VAULT_KEY Vault key string
STASHLOCK_API_URL Vault API base URL
STASHLOCK_API_KEY API authentication key

License

MIT

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last Updated
0.4.4 108 3/20/2026
0.4.3 95 3/13/2026
0.4.2 94 3/12/2026
0.3.122 90 3/12/2026
0.3.121 103 3/12/2026
0.3.119 96 3/12/2026
0.3.118 97 3/12/2026
0.3.117 94 3/12/2026
0.3.115 89 3/12/2026
0.3.112 93 3/12/2026
0.3.111 93 3/12/2026
0.3.110 99 3/12/2026
0.3.109 91 3/12/2026
0.3.108 101 3/11/2026
0.3.107 109 3/11/2026
0.3.106 91 3/11/2026
0.3.105 93 3/11/2026
0.3.103 90 3/11/2026
0.3.99 94 3/11/2026
0.2.86 88 3/10/2026
Loading failed