GitHub - jdx/fnox: encrypted/remote secret manager

🔐 fnox

Fort Knox for your secrets.

Manage secrets with encryption or cloud providers—or both! fnox gives you a unified interface to work with secrets across development, CI, and production.

Quick Start

# Install via mise (recommended)
mise use -g fnox

# Initialize in your project
fnox init

# Set a secret (encrypted by default)
fnox set DATABASE_URL "postgresql://localhost/mydb"

# Get a secret
fnox get DATABASE_URL

# Run commands with secrets loaded
fnox exec -- npm start

# Enable shell integration (auto-load on cd)
eval "$(fnox activate bash)"  # or zsh, fish

What is fnox?

fnox lets you store secrets in two ways:

Encrypted in git - Using age, AWS KMS, Azure KMS, or GCP KMS
Remote in cloud - Using AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, 1Password, Bitwarden, Infisical, or HashiCorp Vault

Your fnox.toml config file either contains encrypted secrets or references to remote secrets. Use fnox exec to run commands with secrets loaded, or enable shell integration to auto-load secrets when you cd into a directory.

Supported Providers

🔐 Encryption (secrets in git, encrypted)

age - Modern encryption (works with SSH keys!)
aws-kms - AWS Key Management Service
azure-kms - Azure Key Vault encryption
gcp-kms - Google Cloud KMS

☁️ Cloud Secret Storage (remote, centralized)

aws-ps - AWS Parameter Store
aws-sm - AWS Secrets Manager
azure-sm - Azure Key Vault Secrets
gcp-sm - Google Cloud Secret Manager
vault - HashiCorp Vault

🔑 Password Managers & Secret Services

1password - 1Password CLI
bitwarden - Bitwarden/Vaultwarden
infisical - Infisical secrets management

💻 Local Storage

keychain - OS Keychain (macOS/Windows/Linux)
keepass - KeePass database files (.kdbx)
password-store - GPG-encrypted password store (Unix pass)
plain - Plain text (for defaults only!)

Documentation

📚 Complete Documentation

Quick Links

Provider Guides

Age Encryption - Simple, free, works with SSH keys
AWS Secrets Manager - Centralized AWS secret management
1Password - Integrate with 1Password CLI
Bitwarden - Open source password manager

View all providers →

Reference

Example

# fnox.toml

[providers]
age = { type = "age", recipients = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"] }

[secrets]
# Development secrets (encrypted in git)
DATABASE_URL = { provider = "age", value = "YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdC..." }  # ← encrypted, safe to commit
API_KEY = { default = "dev-key-12345" }  # ← plain default for local dev

[profiles.production.providers]
aws = { type = "aws-sm", region = "us-east-1", prefix = "myapp/" }

[profiles.production.secrets]
DATABASE_URL = { provider = "aws", value = "database-url" }  # ← reference to AWS secret

# Development (uses encrypted secrets)
fnox exec -- npm start

# Production (uses AWS Secrets Manager)
fnox exec --profile production -- ./deploy.sh

Why fnox?

Flexible - Mix and match encryption and cloud providers
Team-friendly - Encrypted secrets in git, everyone can decrypt
Multi-environment - Different providers for dev, staging, prod
Shell integration - Auto-load secrets on directory change
Developer-focused - Simple config, powerful features
No vendor lock-in - Switch providers anytime

Installation

Using mise (recommended)

Using Cargo

From Source

git clone https://github.com/jdx/fnox
cd fnox
cargo install --path .

Development

See CLAUDE.md for development guidelines.

# Build
mise run build

# Run tests
mise run test

# Run specific tests
mise run test:cargo
mise run test:bats

# Lint
mise run lint

# Full CI check
mise run ci

License

MIT License - see LICENSE for details.