Serilog.Sinks.File.Encrypt.Cli 2.0.0

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. 
dotnet tool install --global Serilog.Sinks.File.Encrypt.Cli --version 2.0.0
This package contains a .NET tool you can call from the shell/command line. 
dotnet new tool-manifest
                    


                            if you are setting up this repo
                        

                    

                
dotnet tool install --local Serilog.Sinks.File.Encrypt.Cli --version 2.0.0
This package contains a .NET tool you can call from the shell/command line. 
#tool dotnet:?package=Serilog.Sinks.File.Encrypt.Cli&version=2.0.0
                    


                    

                
nuke :add-package Serilog.Sinks.File.Encrypt.Cli --version 2.0.0

Serilog.Sinks.File.Encrypt CLI Tool

Build Status codecov NuGet NuGet Downloads License: MIT

A command-line tool for managing RSA key pairs and decrypting log files created by the Serilog.Sinks.File.Encrypt package.

🚧 Newly Released 🚧 This Cli is newly released. Commands and options may change in future versions. Please report any issues you encounter or suggestions for improvement.

Installation

Install the tool globally using the .NET CLI:

dotnet tool install --global Serilog.Sinks.File.Encrypt.Cli

Usage

Generate RSA Key Pair

Generate a new RSA public/private key pair for encrypting log files:

serilog-encrypt generate --output /path/to/keys

Options:

  • -o|--output <OUTPUT> (required): The directory where the key files will be saved

This creates two files:

  • private_key.xml: The private key used for decryption (keep secure)
  • public_key.xml: The public key used for encryption

Decrypt Log Files

Decrypt encrypted log files using your RSA private key:

# Decrypt a single file (output: app.decrypted.log in same directory)
serilog-encrypt decrypt app.log -k private_key.xml

# Decrypt a single file with custom output
serilog-encrypt decrypt app.log -k private_key.xml -o decrypted.log

# Decrypt all .log files in current directory using a glob pattern
serilog-encrypt decrypt *.log -k private_key.xml

# Decrypt with custom glob pattern (e.g., only app logs)
serilog-encrypt decrypt "app*.log" -k private_key.xml

# Decrypt all .log files in a directory
serilog-encrypt decrypt ./logs -k private_key.xml

# Decrypt all .log files in a directory recursively
serilog-encrypt decrypt ./logs -k private_key.xml -r

# Decrypt to a specific output directory
serilog-encrypt decrypt ./logs -k private_key.xml -o ./decrypted

Arguments:

  • <PATH>: Path to encrypted log file, directory (uses *.log pattern), or glob pattern (e.g., *.log, logs/*.txt)

Options:

  • -k|--key <KEY>: Path to the RSA private key file (default: private_key.xml)
  • -o|--output <OUTPUT>: Output directory or file path (default: adds .decrypted to original filename)
  • -r|--recursive: Process directories recursively
  • -s|--strict: Fail immediately on first decryption error (default: continues processing all files)
  • --error-log <PATH>: Write detailed error information to a separate log file

Features:

  • Memory-optimized for large log files
  • Simple error handling: continues on errors by default, or use --strict to fail fast
  • Fixed memory usage regardless of log file size
  • Support for structured logging formats (JSON, etc.)
  • Batch processing with glob patterns
  • Directory traversal with recursive option
  • Automatically skips files with .decrypted. in the name to prevent re-decryption

Examples

Basic Key Generation

# Generate keys in the current directory
serilog-encrypt generate --output .

# Generate keys in a specific directory
serilog-encrypt generate --output ./keys

Single File Decryption

# Decrypt a single file (creates app.decrypted.log)
serilog-encrypt decrypt app.log -k ./keys/private_key.xml

# Decrypt with custom output name
serilog-encrypt decrypt app.log -k ./keys/private_key.xml -o readable.log

# Decrypt with strict error checking
serilog-encrypt decrypt app.log -k ./keys/private_key.xml --strict

Batch Decryption

# Decrypt all .log files in current directory
serilog-encrypt decrypt *.log -k ./keys/private_key.xml

# Decrypt all .log files in a directory (uses *.log pattern automatically)
serilog-encrypt decrypt ./logs -k ./keys/private_key.xml

# Decrypt recursively through subdirectories
serilog-encrypt decrypt ./logs -k ./keys/private_key.xml -r

# Decrypt with custom glob pattern
serilog-encrypt decrypt "logs/app*.txt" -k ./keys/private_key.xml

# Decrypt to a different output directory
serilog-encrypt decrypt ./logs -k ./keys/private_key.xml -o ./decrypted-logs

Error Handling

Default Behavior (Recommended): By default, the tool continues processing all files even if some fail to decrypt:

serilog-encrypt decrypt ./logs -k private_key.xml

Strict Mode: Stop immediately on first error (useful for validation):

serilog-encrypt decrypt app.log -k private_key.xml --strict

Error Logging: Log detailed error information to a separate file while continuing to process files:

serilog-encrypt decrypt ./logs -k private_key.xml --error-log decryption-errors.log

Security Notes

  • Keep your private key secure and never share it
  • The private key is required to decrypt log files
  • Store keys separately from your application code
  • Consider using secure key management systems in production

Usage Notes

Re-decryption Safety

The tool automatically skips files with .decrypted. in the filename to prevent accidental re-decryption. This means you can safely:

  • Run decrypt multiple times on the same directory as new encrypted logs are added
  • Use the -r (recursive) option without worrying about processing already-decrypted files
  • Keep decrypted files alongside encrypted files in the same directory

Example:

# First run: decrypts app.log → app.decrypted.log
serilog-encrypt decrypt ./logs -k key.xml

# Later, after new logs are added
# Second run: only processes new encrypted files, skips app.decrypted.log
serilog-encrypt decrypt ./logs -k key.xml

Integration with Serilog

This tool works with log files encrypted by the Serilog.Sinks.File.Encrypt package. For detailed information on how to configure Serilog with encryption, see the main package documentation.

Requirements

  • .NET 8.0 or higher
  • Logs created with Serilog.Sinks.File.Encrypt
Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last Updated
2.0.0 654 12/2/2025
1.0.0 403 12/1/2025
0.50.1 171 11/27/2025
0.0.0-alpha.0.27 129 11/27/2025
0.0.0-alpha.0.17 134 11/25/2025
0.0.0-alpha.0.14 130 11/24/2025
0.0.0-alpha.0.13 130 11/24/2025

https://github.com/byte2pixel/serilog-sinks-file-encrypt/releases