feat: encryption with age

testdata/cp__encrypt__ok.ct

@@ -0,0 +1,7 @@
+# Copy an encrypted key; both keys should decrypt.
+$ pda set --encrypt secret-key hidden-value
+$ pda cp secret-key copied-key
+$ pda get secret-key
+hidden-value
+$ pda get copied-key
+hidden-value

testdata/help__ok.ct

@@ -15,6 +15,7 @@ Usage:
 Key commands:
   copy         Make a copy of a key
   get          Get the value of a key
+  identity     Show or create the age encryption identity
   list         List the contents of a store
   move         Move a key
   remove       Delete one or more keys
@@ -56,6 +57,7 @@ Usage:
 Key commands:
   copy         Make a copy of a key
   get          Get the value of a key
+  identity     Show or create the age encryption identity
   list         List the contents of a store
   move         Move a key
   remove       Delete one or more keys

testdata/help__set__ok.ct

@@ -2,6 +2,9 @@ $ pda help set
 $ pda set --help
 Set a key to a given value or stdin. Optionally specify a store.
 
+Pass --encrypt to encrypt the value at rest using age. An identity file
+is generated automatically on first use.
+
 PDA supports parsing Go templates. Actions are delimited with {{ }}.
 
 For example:
@@ -18,11 +21,15 @@ Aliases:
   set, s
 
 Flags:
+  -e, --encrypt        Encrypt the value at rest using age
   -h, --help           help for set
   -i, --interactive    Prompt before overwriting an existing key
   -t, --ttl duration   Expire the key after the provided duration (e.g. 24h, 30m)
 Set a key to a given value or stdin. Optionally specify a store.
 
+Pass --encrypt to encrypt the value at rest using age. An identity file
+is generated automatically on first use.
+
 PDA supports parsing Go templates. Actions are delimited with {{ }}.
 
 For example:
@@ -39,6 +46,7 @@ Aliases:
   set, s
 
 Flags:
+  -e, --encrypt        Encrypt the value at rest using age
   -h, --help           help for set
   -i, --interactive    Prompt before overwriting an existing key
   -t, --ttl duration   Expire the key after the provided duration (e.g. 24h, 30m)

testdata/mv__encrypt__ok.ct

@@ -0,0 +1,7 @@
+# Move an encrypted key; the new key should still decrypt.
+$ pda set --encrypt secret-key hidden-value
+$ pda mv secret-key moved-key
+$ pda get moved-key
+hidden-value
+$ pda get secret-key --> FAIL
+FAIL  cannot get 'secret-key': no such key

testdata/remove__dedupe__ok.ct

@@ -1,13 +1,15 @@
 $ pda set foo 1
 $ pda set bar 2
 $ pda ls
- a    echo hello 
-                 
- a1   1          
- a2   2          
- b1   3          
- bar  2          
- foo  1
+ a           echo hello   
+                          
+ a1          1            
+ a2          2            
+ b1          3            
+ bar         2            
+ copied-key  hidden-value 
+ foo         1            
+ moved-key   hidden-value
 $ pda rm foo --glob "*"
 $ pda get bar --> FAIL
 FAIL  cannot get 'bar': no such key

testdata/root__ok.ct

@@ -14,6 +14,7 @@ Usage:
 Key commands:
   copy         Make a copy of a key
   get          Get the value of a key
+  identity     Show or create the age encryption identity
   list         List the contents of a store
   move         Move a key
   remove       Delete one or more keys

testdata/set__encrypt__ok.ct

@@ -0,0 +1,4 @@
+# Set an encrypted key, then retrieve it (transparent decryption).
+$ pda set --encrypt api-key sk-test-123
+$ pda get api-key
+sk-test-123

testdata/set__encrypt__ok__with__ttl.ct

@@ -0,0 +1,4 @@
+# Set an encrypted key with TTL, then retrieve it.
+$ pda set --encrypt --ttl 1h api-key sk-ttl-test
+$ pda get api-key
+sk-ttl-test