fnox

Appearance

Providers Overview

fnox supports multiple secret storage and encryption providers. Choose the ones that fit your workflow.

Provider Categories

🔐 Encryption (secrets in git, encrypted)

Store encrypted secrets in your fnox.toml file. The encrypted ciphertext is safe to commit to version control.

ProviderDescriptionBest For
ageModern encryption (works with SSH keys!)Development secrets, open source projects
AWS KMSAWS Key Management ServiceAWS-based projects requiring IAM control
Azure KMSAzure Key Vault encryptionAzure-based projects
GCP KMSGoogle Cloud KMSGCP-based projects

Pros:

  • Secrets live in git (version control, code review)
  • Works offline
  • No monthly per-secret charges
  • Fast (no network calls to decrypt)

Cons:

  • Key rotation requires re-encrypting secrets
  • No centralized access control
  • No audit logs

☁️ Cloud Secret Storage (remote, centralized)

Store secrets remotely in cloud providers. Your fnox.toml contains only references to secret names.

ProviderDescriptionBest For
AWS Secrets ManagerAWS centralized secretsProduction AWS workloads
Azure Key Vault SecretsAzure secret storageProduction Azure workloads
GCP Secret ManagerGoogle Cloud secretsProduction GCP workloads
HashiCorp VaultSelf-hosted or HCP VaultMulti-cloud, advanced features

Pros:

  • Centralized secret management
  • IAM/RBAC access control
  • Audit logs
  • Automatic rotation (some providers)
  • Secrets never in git

Cons:

  • Requires network access
  • Costs money
  • Slower (network latency)
  • Vendor lock-in

🔑 Password Managers

Integrate with password managers you already use.

ProviderDescriptionBest For
1Password1Password CLI integrationTeams already using 1Password
BitwardenBitwarden/VaultwardenOpen source preference, self-hosting

Pros:

  • Leverage existing password manager
  • Great UI and mobile apps
  • Team management features
  • Audit logs

Cons:

  • Requires subscription (1Password)
  • Session token management
  • Requires network access

💻 Local Storage

Store secrets locally on your machine.

ProviderDescriptionBest For
OS KeychainmacOS/Windows/Linux credential storesLocal development, personal projects
PlainPlaintext (default values only)Non-sensitive defaults

Pros:

  • OS-managed encryption (keychain)
  • No external dependencies
  • Free
  • Simple

Cons:

  • Per-machine (not for teams)
  • Requires GUI session (keychain)
  • Not suitable for production

Choosing a Provider

For Open Source Projects

Use age:

  • Encrypted secrets in git
  • Works with SSH keys
  • Simple setup
  • Free forever

For Development Teams

Use age for development + cloud provider for production:

  • Dev/staging: age encrypted in git (team can clone and run)
  • Production: AWS/Azure/GCP Secrets Manager (centralized)

For AWS Infrastructure

For Azure Infrastructure

For Google Cloud Infrastructure

For Multi-Cloud

Use HashiCorp Vault:

  • Works across all clouds
  • Advanced features (dynamic secrets, leasing)
  • Self-hosted or managed (HCP Vault)

For Existing 1Password Users

Use 1Password:

  • Leverage existing infrastructure
  • Great for small teams
  • Nice UI and mobile apps

For Personal Projects

Use age or OS Keychain:

  • Simple setup
  • Free
  • No cloud dependencies

Mixing Providers

You can use multiple providers in the same project:

toml
# Age for development
[providers.age]
type = "age"
recipients = ["age1..."]

# AWS for production
[providers.aws]
type = "aws-sm"
region = "us-east-1"

# Development secrets (encrypted in git)
[secrets.DATABASE_URL]
provider = "age"
value = "encrypted..."

# Production secrets (in AWS)
[profiles.production.secrets.DATABASE_URL]
provider = "aws"
value = "database-url"

Feature Comparison

FeatureageAWS KMSAWS SM1PasswordVault
Offline
In Git
Free💰💰💰✅*
Audit Logs
Access Control
RotationManualManualManual
Team-Friendly

*Self-hosted Vault is free, HCP Vault is paid

Next Steps

Choose a provider and get started:

Released under the MIT License.

Copyright © 2024-present Jeff Dickey