# Multi-Backend Encryption with SOPS Focus # # This example demonstrates how different sensitive fields can use different # encryption backends in the same form. Useful for multi-environment deployments: # - Development: Age (local, no external service) # - Staging: SOPS (team collaboration, key management) # - Production: SecretumVault or direct AWS KMS (enterprise) # # Usage: # # Development (Age - local): # age-keygen -o ~/.age/key.txt # Only needed once # typedialog form examples/08-encryption/multi-backend-sops.toml \ # --encrypt --backend age --key-file ~/.age/key.txt --format json # # Staging (SOPS - AWS KMS via .sops.yaml): # # Create .sops.yaml # cat > .sops.yaml << 'EOF' # creation_rules: # - path_regex: .* # kms: arn:aws:kms:us-east-1:ACCOUNT:key/KEY_ID # EOF # export AWS_REGION=us-east-1 # typedialog form examples/08-encryption/multi-backend-sops.toml \ # --encrypt --backend sops --format json # # Production (SecretumVault - post-quantum): # export VAULT_ADDR=https://vault.prod:8200 # export VAULT_TOKEN=hvs.token # typedialog form examples/08-encryption/multi-backend-sops.toml \ # --encrypt --backend secretumvault --format json # name = "multi_backend_config" description = "Configuration with multiple encryption backends for different environments" display_mode = "complete" # ============================================================================ # Application Configuration (Non-sensitive) # ============================================================================ [[fields]] name = "app_name" type = "text" prompt = "Application name" required = true sensitive = false [[fields]] name = "environment" type = "select" prompt = "Environment" required = true sensitive = false options = ["development", "staging", "production"] [[fields]] name = "log_level" type = "select" prompt = "Log level" required = false sensitive = false options = ["debug", "info", "warn", "error"] # ============================================================================ # Database Configuration # Field-level backend: SOPS (team-friendly, multi-KMS support) # ============================================================================ [[fields]] name = "db_host" type = "text" prompt = "Database hostname" required = true sensitive = false [[fields]] name = "db_port" type = "text" prompt = "Database port" required = false sensitive = false default = "5432" [[fields]] name = "db_username" type = "text" prompt = "Database username" required = true sensitive = false [[fields]] name = "db_password" type = "password" prompt = "Database password (encrypted with SOPS)" required = true sensitive = true encryption_backend = "sops" # Note: SOPS configuration comes from .sops.yaml # Supports AWS KMS, GCP KMS, Azure Key Vault via that config # ============================================================================ # API Keys and Tokens # Field-level backend: Age (simple, local) # These might be development tokens that don't need KMS # ============================================================================ [[fields]] name = "api_key" type = "text" prompt = "API Key (encrypted with Age)" required = false sensitive = true encryption_backend = "age" [[fields]] name = "api_secret" type = "password" prompt = "API Secret (encrypted with Age)" required = false sensitive = true encryption_backend = "age" # ============================================================================ # Enterprise/Production Secrets # Field-level backend: AWS KMS (direct cloud integration) # These are critical secrets that require cloud KMS # ============================================================================ [[fields]] name = "master_key" type = "password" prompt = "Master encryption key (AWS KMS protected)" required = false sensitive = true encryption_backend = "awskms" [fields.encryption_config] region = "us-east-1" key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" [[fields]] name = "root_token" type = "password" prompt = "Root access token (AWS KMS protected)" required = false sensitive = true encryption_backend = "awskms" [fields.encryption_config] region = "us-east-1" key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" # ============================================================================ # Certificate and Key Material # Field-level backend: SecretumVault (post-quantum, enterprise) # Uses Transit Engine for encryption with PQC support # ============================================================================ [[fields]] name = "tls_cert" type = "editor" prompt = "TLS Certificate (SecretumVault with PQC)" required = false sensitive = true encryption_backend = "secretumvault" [[fields]] name = "tls_key" type = "editor" prompt = "TLS Private Key (SecretumVault with PQC)" required = false sensitive = true encryption_backend = "secretumvault" # ============================================================================ # Configuration Summary # ============================================================================ # This form demonstrates backend selection per field: # # Age Backend: API keys (simple, local) # SOPS Backend: Database password (team collaboration) # AWS KMS: Critical production tokens # SecretumVault: TLS materials (post-quantum ready) # # Same form works for all environments with proper CLI flags: # --encrypt --backend age # Dev # --encrypt --backend sops # Staging (requires .sops.yaml) # --encrypt --backend secretumvault # Production # # Field-level encryption_backend overrides CLI --backend for that specific field # This allows mixing backends even within the same form execution.