.png)
6 hours ago
1
Quick Example
bash
# Initialize fnox in your project fnox init # Set a secret (stores it encrypted in fnox.toml) fnox set DATABASE_URL "postgresql://localhost/mydb" # Get a secret fnox get DATABASE_URL # Run commands with secrets loaded as env vars fnox exec -- npm start # Enable shell integration (auto-load secrets on cd) eval "$(fnox activate bash)" # or zsh, fishHow It Works
fnox uses a simple TOML config file (fnox.toml) that you check into git. Secrets are either:
- Encrypted inline - The encrypted ciphertext lives in the config file
- Remote references - The config contains a reference (like "my-db-password") that points to a secret in AWS/1Password/etc.
You configure providers (encryption methods or cloud services), then assign each secret to a provider. fnox handles the rest.
toml
# fnox.toml [providers] age = { type = "age", recipients = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"] } [secrets] DATABASE_URL = { provider = "age", value = "YWdlLWVuY3J5cHRpb24uLi4=" } # ← encrypted ciphertext, safe to commit API_KEY = { default = "dev-key-12345" } # ← plain default value for local devSupported Providers
🔐 Encryption (secrets in git, encrypted)
- age - Modern encryption (works with SSH keys!)
- aws-kms - AWS Key Management Service
- azure-kms - Azure Key Vault encryption
- gcp-kms - Google Cloud KMS
☁️ Cloud Secret Storage (remote, centralized)
- aws-sm - AWS Secrets Manager
- azure-sm - Azure Key Vault Secrets
- gcp-sm - Google Cloud Secret Manager
- vault - HashiCorp Vault
🔑 Password Managers
- 1password - 1Password CLI
- bitwarden - Bitwarden/Vaultwarden
💻 Local Storage
- keychain - OS Keychain (macOS/Windows/Linux)
- plain - Plain text (for defaults only!)
