fnoxFort Knox for your secrets

Quick Example ​

# Initialize fnox in your project
fnox init

# Set a secret (stores it encrypted in fnox.toml)
fnox set DATABASE_URL "postgresql://localhost/mydb"

# Get a secret
fnox get DATABASE_URL

# Run commands with secrets loaded as env vars
fnox exec -- npm start

# Enable shell integration (auto-load secrets on cd)
eval "$(fnox activate bash)"  # or zsh, fish

How It Works ​

fnox uses a simple TOML config file (fnox.toml) that you check into git. Secrets are either:

1. Encrypted inline - The encrypted ciphertext lives in the config file
2. Remote references - The config contains a reference (like "my-db-password") that points to a secret in AWS/1Password/etc.

You configure providers (encryption methods or cloud services), then assign each secret to a provider. fnox handles the rest.

# fnox.toml
[providers]
age = { type = "age", recipients = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"] }

[secrets]
DATABASE_URL = { provider = "age", value = "YWdlLWVuY3J5cHRpb24uLi4=" }  # ← encrypted ciphertext, safe to commit
API_KEY = { default = "dev-key-12345" }  # ← plain default value for local dev

Supported Providers ​

🔐 Encryption (secrets in git, encrypted) ​

• age - Modern encryption (works with SSH keys!)
• aws-kms - AWS Key Management Service
• azure-kms - Azure Key Vault encryption
• gcp-kms - Google Cloud KMS

☁️ Cloud Secret Storage (remote, centralized) ​

• aws-sm - AWS Secrets Manager
• azure-sm - Azure Key Vault Secrets
• gcp-sm - Google Cloud Secret Manager
• vault - HashiCorp Vault

🔑 Password Managers & Secret Services ​

• 1password - 1Password CLI
• bitwarden - Bitwarden/Vaultwarden
• infisical - Infisical secrets management

💻 Local Storage ​

• keychain - OS Keychain (macOS/Windows/Linux)
• password-store - GPG-encrypted password store (Unix pass)
• plain - Plain text (for defaults only!)