🔐
Multiple Provider Support
Works with age, AWS KMS/SM, Azure, GCP, 1Password, Bitwarden, HashiCorp Vault, and more.
fnoxFort Knox for your secrets
Manage secrets with encryption or cloud providers - or both!
Skip to content
Quick Example
bash
# Initialize fnox in your project
fnox init
# Set a secret (stores it encrypted in fnox.toml)
fnox set DATABASE_URL "postgresql://localhost/mydb"
# Get a secret
fnox get DATABASE_URL
# Run commands with secrets loaded as env vars
fnox exec -- npm start
# Enable shell integration (auto-load secrets on cd)
eval "$(fnox activate bash)" # or zsh, fishHow It Works
fnox uses a simple TOML config file (fnox.toml) that you check into git. Secrets are either:
- Encrypted inline - The encrypted ciphertext lives in the config file
- Remote references - The config contains a reference (like "my-db-password") that points to a secret in AWS/1Password/etc.
You configure providers (encryption methods or cloud services), then assign each secret to a provider. fnox handles the rest.
toml
# fnox.toml
[providers.age]
type = "age"
recipients = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"]
[secrets.DATABASE_URL]
provider = "age"
value = "YWdlLWVuY3J5cHRpb24uLi4=" # ← encrypted ciphertext, safe to commit
[secrets.API_KEY]
default = "dev-key-12345" # ← plain default value for local devSupported Providers
🔐 Encryption (secrets in git, encrypted)
- age - Modern encryption (works with SSH keys!)
- aws-kms - AWS Key Management Service
- azure-kms - Azure Key Vault encryption
- gcp-kms - Google Cloud KMS
☁️ Cloud Secret Storage (remote, centralized)
- aws-sm - AWS Secrets Manager
- azure-sm - Azure Key Vault Secrets
- gcp-sm - Google Cloud Secret Manager
- vault - HashiCorp Vault
🔑 Password Managers
- 1password - 1Password CLI
- bitwarden - Bitwarden/Vaultwarden
💻 Local Storage
- keychain - OS Keychain (macOS/Windows/Linux)
- plain - Plain text (for defaults only!)