Providers Overview โ
fnox supports multiple secret storage and encryption providers. Choose the ones that fit your workflow.
Provider Categories โ
๐ Encryption (secrets in git, encrypted) โ
Store encrypted secrets in your fnox.toml file. The encrypted ciphertext is safe to commit to version control.
| Provider | Description | Best For |
|---|---|---|
| age | Modern encryption (works with SSH keys!) | Development secrets, open source projects |
| AWS KMS | AWS Key Management Service | AWS-based projects requiring IAM control |
| Azure KMS | Azure Key Vault encryption | Azure-based projects |
| GCP KMS | Google Cloud KMS | GCP-based projects |
โ๏ธ Cloud Secret Storage (remote, centralized) โ
Store secrets remotely in cloud providers. Your fnox.toml contains only references to secret names.
| Provider | Description | Best For |
|---|---|---|
| AWS Parameter Store | AWS SSM Parameter Store | Config values, simple secrets |
| AWS Secrets Manager | AWS centralized secrets | Production AWS workloads |
| Azure Key Vault Secrets | Azure secret storage | Production Azure workloads |
| GCP Secret Manager | Google Cloud secrets | Production GCP workloads |
| Bitwarden Secrets Manager | Bitwarden Secrets Manager (bws CLI) | Teams using Bitwarden for DevOps secrets |
| Doppler | Doppler secrets manager | Developer-friendly cloud secrets |
| HashiCorp Vault | Self-hosted or HCP Vault | Multi-cloud, advanced features |
๐ Password Managers & Secret Services โ
Integrate with password managers and secret services you already use.
| Provider | Description | Best For |
|---|---|---|
| 1Password | 1Password CLI integration | Teams already using 1Password |
| Bitwarden | Bitwarden/Vaultwarden | Open source preference, self-hosting |
| Infisical | Infisical secrets | Modern secret management, open source |
๐ป Local Storage โ
Store secrets locally on your machine.
| Provider | Description | Best For |
|---|---|---|
| OS Keychain | macOS/Windows/Linux credential stores | Local development, personal projects |
| KeePass | KeePass database files (.kdbx) | Offline use, KeePassXC users |
| password-store | GPG-encrypted local password store | CLI users, git-based sync, Unix systems |
| Plain | Plaintext (default values only) | Non-sensitive defaults |
Mixing Providers โ
You can use multiple providers in the same project:
toml
# Age for development
[providers]
age = { type = "age", recipients = ["age1..."] }
aws = { type = "aws-sm", region = "us-east-1" }
# Development secrets (encrypted in git)
[secrets]
DATABASE_URL = { provider = "age", value = "encrypted..." }
# Production secrets (in AWS)
[profiles.production.secrets]
DATABASE_URL = { provider = "aws", value = "database-url" }Feature Comparison โ
| Feature | age | AWS KMS | AWS SM | 1Password | Vault |
|---|---|---|---|---|---|
| Offline | โ | โ | โ | โ | โ |
| In Git | โ | โ | โ | โ | โ |
| Free | โ | ๐ฐ | ๐ฐ | ๐ฐ | โ * |
| Audit Logs | โ | โ | โ | โ | โ |
| Access Control | โ | โ | โ | โ | โ |
| Rotation | Manual | Manual | โ | Manual | โ |
| Team-Friendly | โ | โ | โ | โ | โ |
*Self-hosted Vault is free, HCP Vault is paid
Next Steps โ
Choose a provider and get started:
- Age Encryption - Simple, free, works with SSH keys
- AWS Parameter Store - Simple, cost-effective AWS secret storage
- AWS Secrets Manager - For AWS production workloads with rotation
- 1Password - Leverage existing 1Password setup
- Complete Example - See providers in action