# Encryption Demo Form # # This form demonstrates the encryption and redaction pipeline in typedialog. # Fields marked as "sensitive" will be: # - Redacted to [REDACTED] with --redact flag # - Encrypted with --encrypt flag (requires Age, SOPS, SecretumVault, or KMS backend) # # Usage: # # Redaction mode (no encryption service needed) # typedialog form examples/08-encryption/credentials.toml --redact --format json # # # Age encryption (local, requires ~/.age/key.txt) # typedialog form examples/08-encryption/credentials.toml \ # --encrypt --backend age --key-file ~/.age/key.txt --format json # # # SOPS encryption (supports AWS/GCP/Azure KMS via .sops.yaml) # export AWS_REGION=us-east-1 # typedialog form examples/08-encryption/credentials.toml \ # --encrypt --backend sops --format json # # # SecretumVault encryption (post-quantum cryptography ready) # export VAULT_ADDR=https://vault.internal:8200 # export VAULT_TOKEN=hvs.CAAA... # typedialog form examples/08-encryption/credentials.toml \ # --encrypt --backend secretumvault --format json name = "user_credentials" description = "User credentials with encryption support" display_mode = "complete" # ============================================================================ # Non-sensitive fields (will be output as plaintext) # ============================================================================ [[fields]] name = "username" type = "text" prompt = "Username" required = true sensitive = false [[fields]] name = "email" type = "text" prompt = "Email address" required = true sensitive = false [[fields]] name = "company" type = "text" prompt = "Company (optional)" required = false sensitive = false # ============================================================================ # Sensitive fields - Auto-detected (FieldType::Password = sensitive by default) # ============================================================================ [[fields]] name = "password" type = "password" prompt = "Password" required = true # sensitive not specified - auto-detected as true from FieldType::Password [[fields]] name = "confirm_password" type = "password" prompt = "Confirm password" required = true # ============================================================================ # Sensitive fields - Explicit (sensitive = true) # These are non-password fields but marked sensitive # ============================================================================ [[fields]] name = "api_token" type = "text" prompt = "API Token" required = false sensitive = true encryption_backend = "age" [[fields]] name = "ssh_key" type = "editor" prompt = "SSH Private Key (multiline)" required = false sensitive = true [[fields]] name = "database_url" type = "text" prompt = "Database Connection String" required = false sensitive = true # ============================================================================ # Encryption configuration per field (optional) # If not specified, uses CLI --backend flag or global default # ============================================================================ [[fields]] name = "vault_token" type = "text" prompt = "Vault Token (encrypted with SOPS)" required = false sensitive = true encryption_backend = "sops" # Note: SOPS reads configuration from .sops.yaml in current directory or parent # No additional config needed - SOPS uses .sops.yaml for KMS setup [[fields]] name = "kms_key_id" type = "text" prompt = "AWS KMS Key ID (encrypted with AWS KMS)" required = false sensitive = true encryption_backend = "awskms" [fields.encryption_config] region = "us-east-1" key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" # ============================================================================ # Non-sensitive field (explicit override) # Note: This field is type=password but marked as NOT sensitive # Will be output as plaintext (useful for test/demo passwords) # ============================================================================ [[fields]] name = "demo_password" type = "password" prompt = "Demo password (shown in plaintext)" required = false sensitive = false