# Multi-Backend Encryption with SOPS Focus # # This example demonstrates how different sensitive fields can use different # encryption backends in the same form. Useful for multi-environment deployments: # - Development: Age (local, no external service) # - Staging: SOPS (team collaboration, key management) # - Production: SecretumVault or direct AWS KMS (enterprise) # # Usage: # # Development (Age - local): # age-keygen -o ~/.age/key.txt # Only needed once # typedialog form examples/08-encryption/multi-backend-sops.toml \ # --encrypt --backend age --key-file ~/.age/key.txt --format json # # Staging (SOPS - AWS KMS via .sops.yaml): # # Create .sops.yaml # cat > .sops.yaml << 'EOF' # creation_rules: # - path_regex: .* # kms: arn:aws:kms:us-east-1:ACCOUNT:key/KEY_ID # EOF # export AWS_REGION=us-east-1 # typedialog form examples/08-encryption/multi-backend-sops.toml \ # --encrypt --backend sops --format json # # Production (SecretumVault - post-quantum): # export VAULT_ADDR=https://vault.prod:8200 # export VAULT_TOKEN=hvs.token # typedialog form examples/08-encryption/multi-backend-sops.toml \ # --encrypt --backend secretumvault --format json # description = "Configuration with multiple encryption backends for different environments" display_mode = "complete" name = "multi_backend_config" # ============================================================================ # Application Configuration (Non-sensitive) # ============================================================================ [[fields]] name = "app_name" prompt = "Application name" required = true sensitive = false type = "text" [[fields]] name = "environment" options = ["development", "staging", "production"] prompt = "Environment" required = true sensitive = false type = "select" [[fields]] name = "log_level" options = ["debug", "info", "warn", "error"] prompt = "Log level" required = false sensitive = false type = "select" # ============================================================================ # Database Configuration # Field-level backend: SOPS (team-friendly, multi-KMS support) # ============================================================================ [[fields]] name = "db_host" prompt = "Database hostname" required = true sensitive = false type = "text" [[fields]] default = "5432" name = "db_port" prompt = "Database port" required = false sensitive = false type = "text" [[fields]] name = "db_username" prompt = "Database username" required = true sensitive = false type = "text" [[fields]] encryption_backend = "sops" name = "db_password" prompt = "Database password (encrypted with SOPS)" required = true sensitive = true type = "password" # Note: SOPS configuration comes from .sops.yaml # Supports AWS KMS, GCP KMS, Azure Key Vault via that config # ============================================================================ # API Keys and Tokens # Field-level backend: Age (simple, local) # These might be development tokens that don't need KMS # ============================================================================ [[fields]] encryption_backend = "age" name = "api_key" prompt = "API Key (encrypted with Age)" required = false sensitive = true type = "text" [[fields]] encryption_backend = "age" name = "api_secret" prompt = "API Secret (encrypted with Age)" required = false sensitive = true type = "password" # ============================================================================ # Enterprise/Production Secrets # Field-level backend: AWS KMS (direct cloud integration) # These are critical secrets that require cloud KMS # ============================================================================ [[fields]] encryption_backend = "awskms" name = "master_key" prompt = "Master encryption key (AWS KMS protected)" required = false sensitive = true type = "password" [fields.encryption_config] key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" region = "us-east-1" [[fields]] encryption_backend = "awskms" name = "root_token" prompt = "Root access token (AWS KMS protected)" required = false sensitive = true type = "password" [fields.encryption_config] key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" region = "us-east-1" # ============================================================================ # Certificate and Key Material # Field-level backend: SecretumVault (post-quantum, enterprise) # Uses Transit Engine for encryption with PQC support # ============================================================================ [[fields]] encryption_backend = "secretumvault" name = "tls_cert" prompt = "TLS Certificate (SecretumVault with PQC)" required = false sensitive = true type = "editor" [[fields]] encryption_backend = "secretumvault" name = "tls_key" prompt = "TLS Private Key (SecretumVault with PQC)" required = false sensitive = true type = "editor" # ============================================================================ # Configuration Summary # ============================================================================ # This form demonstrates backend selection per field: # # Age Backend: API keys (simple, local) # SOPS Backend: Database password (team collaboration) # AWS KMS: Critical production tokens # SecretumVault: TLS materials (post-quantum ready) # # Same form works for all environments with proper CLI flags: # --encrypt --backend age # Dev # --encrypt --backend sops # Staging (requires .sops.yaml) # --encrypt --backend secretumvault # Production # # Field-level encryption_backend overrides CLI --backend for that specific field # This allows mixing backends even within the same form execution.