TypeDialog/examples/08-encryption/multi-backend-sops.toml

# Multi-Backend Encryption with SOPS Focus
#
# This example demonstrates how different sensitive fields can use different
# encryption backends in the same form. Useful for multi-environment deployments:
# - Development: Age (local, no external service)
# - Staging: SOPS (team collaboration, key management)
# - Production: SecretumVault or direct AWS KMS (enterprise)
#
# Usage:
#
# Development (Age - local):
#   age-keygen -o ~/.age/key.txt  # Only needed once
#   typedialog form examples/08-encryption/multi-backend-sops.toml \
#     --encrypt --backend age --key-file ~/.age/key.txt --format json
#
# Staging (SOPS - AWS KMS via .sops.yaml):
#   # Create .sops.yaml
#   cat > .sops.yaml << 'EOF'
#   creation_rules:
#     - path_regex: .*
#       kms: arn:aws:kms:us-east-1:ACCOUNT:key/KEY_ID
#   EOF
#   export AWS_REGION=us-east-1
#   typedialog form examples/08-encryption/multi-backend-sops.toml \
#     --encrypt --backend sops --format json
#
# Production (SecretumVault - post-quantum):
#   export VAULT_ADDR=https://vault.prod:8200
#   export VAULT_TOKEN=hvs.token
#   typedialog form examples/08-encryption/multi-backend-sops.toml \
#     --encrypt --backend secretumvault --format json
#

name = "multi_backend_config"
description = "Configuration with multiple encryption backends for different environments"
display_mode = "complete"

# ============================================================================
# Application Configuration (Non-sensitive)
# ============================================================================

[[fields]]
name = "app_name"
type = "text"
prompt = "Application name"
required = true
sensitive = false

[[fields]]
name = "environment"
type = "select"
prompt = "Environment"
required = true
sensitive = false
options = ["development", "staging", "production"]

[[fields]]
name = "log_level"
type = "select"
prompt = "Log level"
required = false
sensitive = false
options = ["debug", "info", "warn", "error"]

# ============================================================================
# Database Configuration
# Field-level backend: SOPS (team-friendly, multi-KMS support)
# ============================================================================

[[fields]]
name = "db_host"
type = "text"
prompt = "Database hostname"
required = true
sensitive = false

[[fields]]
name = "db_port"
type = "text"
prompt = "Database port"
required = false
sensitive = false
default = "5432"

[[fields]]
name = "db_username"
type = "text"
prompt = "Database username"
required = true
sensitive = false

[[fields]]
name = "db_password"
type = "password"
prompt = "Database password (encrypted with SOPS)"
required = true
sensitive = true
encryption_backend = "sops"
# Note: SOPS configuration comes from .sops.yaml
# Supports AWS KMS, GCP KMS, Azure Key Vault via that config

# ============================================================================
# API Keys and Tokens
# Field-level backend: Age (simple, local)
# These might be development tokens that don't need KMS
# ============================================================================

[[fields]]
name = "api_key"
type = "text"
prompt = "API Key (encrypted with Age)"
required = false
sensitive = true
encryption_backend = "age"

[[fields]]
name = "api_secret"
type = "password"
prompt = "API Secret (encrypted with Age)"
required = false
sensitive = true
encryption_backend = "age"

# ============================================================================
# Enterprise/Production Secrets
# Field-level backend: AWS KMS (direct cloud integration)
# These are critical secrets that require cloud KMS
# ============================================================================

[[fields]]
name = "master_key"
type = "password"
prompt = "Master encryption key (AWS KMS protected)"
required = false
sensitive = true
encryption_backend = "awskms"

[fields.encryption_config]
region = "us-east-1"
key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"

[[fields]]
name = "root_token"
type = "password"
prompt = "Root access token (AWS KMS protected)"
required = false
sensitive = true
encryption_backend = "awskms"

[fields.encryption_config]
region = "us-east-1"
key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"

# ============================================================================
# Certificate and Key Material
# Field-level backend: SecretumVault (post-quantum, enterprise)
# Uses Transit Engine for encryption with PQC support
# ============================================================================

[[fields]]
name = "tls_cert"
type = "editor"
prompt = "TLS Certificate (SecretumVault with PQC)"
required = false
sensitive = true
encryption_backend = "secretumvault"

[[fields]]
name = "tls_key"
type = "editor"
prompt = "TLS Private Key (SecretumVault with PQC)"
required = false
sensitive = true
encryption_backend = "secretumvault"

# ============================================================================
# Configuration Summary
# ============================================================================
# This form demonstrates backend selection per field:
#
# Age Backend:      API keys (simple, local)
# SOPS Backend:     Database password (team collaboration)
# AWS KMS:          Critical production tokens
# SecretumVault:    TLS materials (post-quantum ready)
#
# Same form works for all environments with proper CLI flags:
#   --encrypt --backend age              # Dev
#   --encrypt --backend sops             # Staging (requires .sops.yaml)
#   --encrypt --backend secretumvault    # Production
#
# Field-level encryption_backend overrides CLI --backend for that specific field
# This allows mixing backends even within the same form execution.