Sealcraft treats keys as operational artifacts. Rotation, provider migration, and shred are first-class commands with dry-run support.
Playbook
- KEK rotation -- rewrap every DEK under the current KEK version. Fast, no data re-encrypted, safe during normal operation.
- DEK rotation -- re-encrypt every row under a new DEK. Slower, requires a maintenance window.
- Provider migration -- move DEKs between KMS providers (AWS -> GCP, Vault -> Azure, etc.).
- Crypto-shred -- destroy a context's DEK to render ciphertext permanently unrecoverable.
Dry run
Every destructive command supports --dry-run. Use it first, every time.
Audit
php artisan sealcraft:audit
Reports DEK counts, distribution by context type, distribution by KEK version, and optionally runs a round-trip encrypt/decrypt validation against every DEK to catch corruption or provider drift.
Contributors
Thank you to everyone who has contributed to this package. Every pull request, bug report, and idea makes a difference.
