# blindfold function - terraform-provider-f5xc

# function: blindfold

Encrypts base64-encoded plaintext using F5 Distributed Cloud Secret Management (blindfold).

Returns a sealed secret string suitable for use in `blindfold_secret_info.location` fields.

**Security**: The encryption happens locally using the public key fetched from F5XC.
The plaintext secret is **never** transmitted to F5XC during encryption.

## Example

```hcl
resource "f5xc_http_loadbalancer" "example" {
  name = "secure-lb"

  tls_parameters {
    private_key {
      blindfold_secret_info {
        location = provider::f5xc::blindfold(
          base64encode(file("${path.module}/private.key")),
          "example-secret-policy",
          "shared"
        )
      }
    }
  }
}
```

~> **Note:** This function requires Terraform 1.8 or later.

## Signature

<!-- signature generated by tfplugindocs -->
```text
blindfold(plaintext string, policy_name string, namespace string) string
```

## Arguments

<!-- arguments generated by tfplugindocs -->
1. `plaintext` (String) base64-encoded plaintext to encrypt. Use Terraform's `base64encode()` function for raw strings or file contents.

Example: `base64encode(file("private.key"))`
1. `policy_name` (String) Name of the SecretPolicy that controls which clients can decrypt this secret.

The policy must exist in the specified namespace before encryption.
1. `namespace` (String) F5XC namespace containing the SecretPolicy.

Common values: `shared`, `system`, or your application namespace.

## Example Usage

```terraform
# Encrypt a secret string using F5XC blindfold
#
# The blindfold function encrypts base64-encoded plaintext using F5 Distributed
# Cloud Secret Management. The encryption happens locally - your secret is never
# transmitted to F5XC during encryption.

# Example: Encrypt a password for use in origin pool authentication
locals {
  encrypted_password = provider::f5xc::blindfold(
    base64encode("example-secret-password"),
    "production-secrets-policy",
    "shared"
  )
}

# Example: Encrypt a TLS private key from a file
locals {
  encrypted_key = provider::f5xc::blindfold(
    base64encode(file("${path.module}/certs/private.key")),
    "tls-secrets-policy",
    "shared"
  )
}

# Example: Using the encrypted secret in a resource
resource "f5xc_http_loadbalancer" "example" {
  name      = "secure-lb"
  namespace = "production"

  domains = ["example.com"]

  https_auto_cert {
    tls_config {
      custom_security {
        private_key {
          blindfold_secret_info {
            location = provider::f5xc::blindfold(
              base64encode(file("${path.module}/certs/server.key")),
              "tls-secrets-policy",
              "shared"
            )
          }
        }
      }
    }
  }
}
```

## See Also

- [F5XC Secret Management Documentation](https://docs.cloud.f5.com/docs/how-to/advanced-security/blindfold-your-tls-certificates)