Serilog.Sinks.File.Encrypt.Cli 4.0.0

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. 
dotnet tool install --global Serilog.Sinks.File.Encrypt.Cli --version 4.0.0
This package contains a .NET tool you can call from the shell/command line. 
dotnet new tool-manifest
                    


                            if you are setting up this repo
                        

                    

                
dotnet tool install --local Serilog.Sinks.File.Encrypt.Cli --version 4.0.0
This package contains a .NET tool you can call from the shell/command line. 
#tool dotnet:?package=Serilog.Sinks.File.Encrypt.Cli&version=4.0.0
                    


                    

                
nuke :add-package Serilog.Sinks.File.Encrypt.Cli --version 4.0.0

Serilog.Sinks.File.Encrypt CLI Tool

Build Status codecov NuGet NuGet Downloads License: MIT

A command-line tool for managing RSA key pairs and decrypting log files created by the Serilog.Sinks.File.Encrypt package.

v4.x can decrypt log files written by v3.0.0, but not v2.x. v3.0.0 is a breaking change from v2.x. The v3.x CLI cannot decrypt log files written by v2.x. Decrypt existing v2.x files with the v2.x CLI before upgrading. See the CHANGELOG for the full migration guide.

The CLI is designed for simplicity and ease of use, with a focus mainly on testing and development scenarios.

For production use, especially with complex key management needs, the correct solution is to implement an IKeyProvider and integrate it with your secure key management system.

The CLI can still be used for ad-hoc decryption tasks, but for ongoing operations, the main package's API provides more flexibility and security. See the main package documentation for details on how to implement and integrate a custom IKeyProvider with your application.

Installation

Install the tool globally using the .NET CLI:

dotnet tool install --global Serilog.Sinks.File.Encrypt.Cli

Usage

Generate RSA Key Pair

Generate a new RSA public/private key pair for encrypting log files:

serilog-encrypt generate --output ./keys

Options:

  • -o|--output <OUTPUT> (required): The directory where the key files will be saved
  • -k|--key-size <KEY_SIZE> (optional): The size of the RSA key in bits (default: 2048)
  • -f|--format <FORMAT> (optional): The encoding format (Xml or Pem) for the RSA keys (default: Xml)

This creates two files:

  • private_key.xml: The private key used for decryption (keep secure)
  • public_key.xml: The public key used for encryption

Decrypt Log Files

Decrypt encrypted log files using your RSA private key:

# Decrypt a single file (output: app.decrypted.log in same directory)
serilog-encrypt decrypt app.log -k private_key.xml

# Decrypt with a key ID (must match the keyId used during encryption)
serilog-encrypt decrypt app.log -k private_key.xml --id my-app-key-2026

# Decrypt a single file with custom output
serilog-encrypt decrypt app.log -k private_key.xml -o decrypted.log

# Decrypt all .log files using a glob pattern
serilog-encrypt decrypt "*.log" -k private_key.xml --id my-app-key-2026

# Decrypt all .log files under a directory using a glob pattern
serilog-encrypt decrypt "logs/*.log" -k private_key.xml --id my-app-key-2026

# Decrypt to a specific output directory
serilog-encrypt decrypt "logs/*.log" -k private_key.xml -o ./decrypted

Arguments:

  • <PATH>: Path to an encrypted log file, or a glob pattern (e.g., *.log, logs/*.txt). Directories are not accepted directly — append a pattern such as logs/*.log.

Options:

  • -k|--key <KEY>: Path to the RSA private key file (default: private_key.xml)
  • --id <KEY_ID>: The key ID that was supplied to EncryptHooks during encryption (default: "" — matches files encrypted without a key ID)
  • -o|--output <OUTPUT>: Output directory or file path (default: adds .decrypted to original filename)
  • -s|--strict: Fail immediately on first decryption error (default: continues processing all files)
  • --audit-log <PATH>: Write detailed audit information to a rolling log file (max 10 MB, 7 retained files). If omitted, a randomly-named file is created in the temp directory.

Features:

  • Memory-optimized for large log files
  • Simple error handling: continues on errors by default, or use --strict to fail fast
  • Batch processing with glob patterns
  • Automatically skips files with .decrypted. in the name to prevent re-decryption

Examples

Basic Key Generation

# Generate keys in the current directory
serilog-encrypt generate --output .

# Generate keys in a specific directory
serilog-encrypt generate --output ./keys

Single File Decryption

# Decrypt a single file (creates app.decrypted.log)
serilog-encrypt decrypt app.log -k ./keys/private_key.xml

# Decrypt with key ID (recommended when keyId was set during encryption)
serilog-encrypt decrypt app.log -k ./keys/private_key.xml --id my-app-key-2026

# Decrypt with custom output name
serilog-encrypt decrypt app.log -k ./keys/private_key.xml -o readable.log

# Decrypt with strict error checking
serilog-encrypt decrypt app.log -k ./keys/private_key.xml --strict

Batch Decryption

# Decrypt all .log files in the current directory
serilog-encrypt decrypt "*.log" -k ./keys/private_key.xml --id my-app-key-2026

# Decrypt all .log files under a subdirectory using a glob pattern
serilog-encrypt decrypt "logs/*.log" -k ./keys/private_key.xml --id my-app-key-2026

# Decrypt with a custom glob pattern (e.g., only specific file names)
serilog-encrypt decrypt "logs/app*.txt" -k ./keys/private_key.xml

# Decrypt to a different output directory
serilog-encrypt decrypt "logs/*.log" -k ./keys/private_key.xml -o ./decrypted-logs

Key Rotation

When your application uses different keys for different time periods, decrypt each batch with the corresponding key and --id:

# Files encrypted with the 2025 key
serilog-encrypt decrypt "logs/2025/*.log" -k ./keys/private_key_2025.xml --id my-app-key-2025

# Files encrypted with the 2026 key
serilog-encrypt decrypt "logs/2026/*.log" -k ./keys/private_key_2026.xml --id my-app-key-2026

The CLI supports one key per invocation. To decrypt a mixed directory containing files from multiple key rotations, use the IKeyProvider API from the main package to implement custom logic for selecting the correct key and decrypting the AES session. There is a LocalKeyProvider implementation included.

Error Handling

Default Behavior (Recommended): By default, the tool continues processing all files even if some fail to decrypt:

serilog-encrypt decrypt "logs/*.log" -k private_key.xml --id my-app-key-2026

Strict Mode: Stop immediately on first error (useful for validation):

serilog-encrypt decrypt app.log -k private_key.xml --strict

Audit Logging: Write detailed diagnostic information to a separate rolling log file. If --audit-log is not specified, one is always created in the temp directory:

# If not specified, a randomly-named audit log will be created in the temporary directory
serilog-encrypt decrypt "logs/*.log" -k private_key.xml --audit-log decryption-audit.log

Security Notes

  • Keep your private key secure and never share it
  • The private key is required to decrypt log files
  • Store keys separately from your application code
  • Consider using secure key management systems in production

Usage Notes

Re-decryption Safety

The tool automatically skips files with .decrypted. in the filename to prevent accidental re-decryption. This means you can safely:

  • Run decrypt multiple times on the same directory as new encrypted logs are added
  • Keep decrypted files alongside encrypted files in the same directory

Example:

# First run: decrypts app.log → app.decrypted.log
serilog-encrypt decrypt "logs/*.log" -k key.xml --id my-app-key-2026

# Later, after new logs are added
# Second run: only processes app.log and overwrites app.decrypted.log
# skips trying to decrypt app.decrypted.log
serilog-encrypt decrypt "logs/*.log" -k key.xml --id my-app-key-2026

Integration with Serilog

This tool works with log files encrypted by the Serilog.Sinks.File.Encrypt package. For detailed information on how to configure Serilog with encryption, see the main package documentation.

Requirements

  • .NET 8.0 or higher
  • Logs created with Serilog.Sinks.File.Encrypt v3.0.0 or later
Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last Updated
4.0.0 107 4/13/2026
4.0.0-preview.1 48 4/8/2026
3.0.0 96 3/23/2026
2.0.1-alpha.0.16 48 3/23/2026
2.0.0 705 12/2/2025
1.0.0 451 12/1/2025
0.50.1 213 11/27/2025
0.0.0-alpha.0.27 170 11/27/2025
0.0.0-alpha.0.17 170 11/25/2025
0.0.0-alpha.0.14 160 11/24/2025
0.0.0-alpha.0.13 175 11/24/2025

https://github.com/byte2pixel/serilog-sinks-file-encrypt/releases