8.2 KiB
8.2 KiB
Encryption Examples
This directory contains example forms demonstrating typedialog's encryption and redaction features.
Quick Test (No Setup Required)
# Redaction: Replace sensitive values with [REDACTED]
typedialog form examples/08-encryption/simple-login.toml --redact --format json
# Expected output:
# {
# "username": "alice",
# "password": "[REDACTED]"
# }
Setup Required
Before running encryption tests, set up encryption services:
./scripts/encryption-test-setup.sh
source /tmp/typedialog-env.sh
Forms Included
1. simple-login.toml - Minimal Example
Purpose: Quick verification of redaction and encryption
Fields:
username(plaintext)password(sensitive, auto-detected from type)
Test Cases:
# Redaction (no service required)
typedialog form examples/08-encryption/simple-login.toml \
--redact --format json
# Age encryption (requires ~/.age/key.txt)
typedialog form examples/08-encryption/simple-login.toml \
--encrypt --backend age --key-file ~/.age/key.txt \
--format json
Expected Behavior:
- Redaction:
passwordshows[REDACTED] - Age encryption:
passwordshowsage1-...(Age ciphertext)
2. credentials.toml - Full Example
Purpose: Comprehensive demonstration of encryption features
Fields:
- Non-sensitive: username, email, company
- Auto-detected: password, confirm_password (type=password)
- Explicitly sensitive: api_token, ssh_key, database_url, vault_token
- Override: demo_password (type=password but sensitive=false)
Features Demonstrated:
- Sensitive field auto-detection from FieldType
- Explicit sensitivity marking
- Field-level encryption backend specification
- Encryption config per field (vault_addr, key_path)
Test Cases:
# Show all sensitive fields redacted
typedialog form examples/08-encryption/credentials.toml \
--redact --format json
# Output format:
# {
# "username": "alice",
# "email": "alice@example.com",
# "company": "Acme Corp",
# "password": "[REDACTED]",
# "confirm_password": "[REDACTED]",
# "api_token": "[REDACTED]",
# "ssh_key": "[REDACTED]",
# "database_url": "[REDACTED]",
# "vault_token": "[REDACTED]",
# "demo_password": "demo123" <- Not redacted (explicit sensitive=false)
# }
# Encrypt with Age backend
typedialog form examples/08-encryption/credentials.toml \
--encrypt --backend age \
--key-file ~/.age/key.txt \
--format json
# Output format:
# {
# "username": "alice",
# "email": "alice@example.com",
# "password": "age1muz6ah54ew9am7mzmy0m4w5arcegt056l9448sqy5ju27q5qaf3qjv35tr",
# "api_token": "age1muz6ah54ew9am7mzmy0m4w5arcegt056l9448sqy5ju27q5qaf3qjv35tr",
# ...
# }
# Encrypt with SOPS (supports AWS KMS, GCP KMS, Azure Key Vault)
# First, create .sops.yaml in project root:
cat > .sops.yaml << 'EOF'
creation_rules:
- path_regex: .*
kms: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
EOF
# Then run:
export AWS_REGION=us-east-1
typedialog form examples/08-encryption/credentials.toml \
--encrypt --backend sops \
--format json
# Output format:
# {
# "username": "alice",
# "password": "sops:v1:4f5...",
# ...
# }
# Or use SecretumVault Transit Engine (post-quantum cryptography ready)
export VAULT_ADDR="https://vault.internal:8200"
export VAULT_TOKEN="hvs.CAAA..."
typedialog form examples/08-encryption/credentials.toml \
--encrypt --backend secretumvault \
--vault-key-name "app-encryption-key" \
--format json
# Output format:
# {
# "username": "alice",
# "password": "vault:v1:K8...",
# ...
# }
3. nickel-secrets.ncl - Nickel Schema Definition
Purpose: Define encryption in Nickel schema language
Syntax:
# Basic sensitive field (uses CLI backend)
password | Sensitive = ""
# Age encryption (local X25519)
password | Sensitive Backend="age" Key="~/.age/key.txt" = ""
# SOPS (multi-KMS via .sops.yaml)
database_password | Sensitive Backend="sops" = ""
# SecretumVault (post-quantum cryptography)
api_key | Sensitive Backend="secretumvault" Vault="https://vault:8200" Key="app-key" = ""
# AWS KMS (direct integration)
vault_token | Sensitive Backend="awskms" Region="us-east-1" KeyId="arn:aws:kms:..." = ""
Usage:
# 1. Query Nickel schema to extract metadata
nickel query examples/08-encryption/nickel-secrets.ncl inputs
# 2. Parse to TypeDialogConfig/Form (generates TOML with encryption_config)
# (Requires nickel CLI and typedialog integration - future feature)
# 3. Or manually convert to TOML matching this structure
Equivalent TOML representation:
[[fields]]
name = "password"
type = "password"
sensitive = true
encryption_backend = "age"
[fields.encryption_config]
key = "~/.age/key.txt"
Testing Checklist
1. Redaction (No Service)
- Run:
typedialog form examples/08-encryption/simple-login.toml --redact --format json - Verify:
passwordfield shows[REDACTED] - Verify:
usernamefield shows entered value
2. Age Encryption (With Key File)
- Key file exists:
cat ~/.age/key.txt - Run:
typedialog form examples/08-encryption/simple-login.toml --encrypt --backend age --key-file ~/.age/key.txt --format json - Verify:
passwordfield showsage1-...(not plaintext) - Verify:
usernamefield shows plaintext
3. SOPS Encryption (Optional, Requires .sops.yaml and KMS)
- Install sops:
brew install sopsorapt-get install sops - Create
.sops.yamlwith KMS configuration - Configure KMS credentials (AWS_REGION, AWS_PROFILE, etc.)
- Run:
typedialog form examples/08-encryption/simple-login.toml --encrypt --backend sops --format json - Verify:
passwordfield showssops:v1:...(not plaintext)
4. SecretumVault (Optional, Requires Vault Service)
- Service running:
curl https://vault.internal:8200/v1/sys/health - Set environment:
export VAULT_ADDR=https://vault:8200 VAULT_TOKEN=token - Run:
typedialog form examples/08-encryption/simple-login.toml --encrypt --backend secretumvault --format json - Verify:
passwordfield showsvault:v1:...(not plaintext)
4. Field-Level Encryption Config
- Run with
credentials.toml: Fields with explicitencryption_backenduse their config - Run with CLI
--backend age: Fields without explicit config use Age - Verify mixed backends work correctly
Output Examples
Redaction Output
{
"username": "alice",
"email": "alice@example.com",
"password": "[REDACTED]",
"api_token": "[REDACTED]",
"demo_password": "visible"
}
Age Encryption Output
{
"username": "alice",
"email": "alice@example.com",
"password": "age1muz6ah54ew9am7mzmy0m4w5arcegt056l9448sqy5ju27q5qaf3qjv35tr",
"api_token": "age1muz6ah54ew9am7mzmy0m4w5arcegt056l9448sqy5ju27q5qaf3qjv35tr",
"demo_password": "visible"
}
SOPS Encryption Output
{
"username": "alice",
"email": "alice@example.com",
"password": "sops:v1:4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f",
"api_token": "sops:v1:5g6h7i8j9k0l1m2n3o4p5q6r7s8t9u0v1w2x3y4z5a6b7c8d9e0f1g2h3i4j5k",
"demo_password": "visible"
}
SecretumVault Encryption Output
{
"username": "alice",
"email": "alice@example.com",
"password": "vault:v1:KX1LZ8/PvEgMuKQBhDm8PQMLCMiSvE...",
"api_token": "vault:v1:KX1LZ8/PvEgMuKQBhDm8PQMLCMiSvE...",
"demo_password": "visible"
}
Documentation References
- Setup Guide: See
docs/encryption-services-setup.md - Quick Start: See
docs/encryption-quick-start.md - Implementation Status: See
docs/ENCRYPTION-IMPLEMENTATION-STATUS.md
Integration with CI/CD
These examples can be used for automated testing:
# Integration test script
#!/bin/bash
# Test 1: Redaction
typedialog form examples/08-encryption/simple-login.toml --redact --format json | \
jq -e '.password == "[REDACTED]"' || exit 1
# Test 2: Age encryption (if key exists)
if [ -f ~/.age/key.txt ]; then
OUTPUT=$(typedialog form examples/08-encryption/simple-login.toml \
--encrypt --backend age --key-file ~/.age/key.txt --format json)
# Verify ciphertext format
echo "$OUTPUT" | jq -e '.password | startswith("age1-")' || exit 1
fi
echo "All tests passed!"