Fort Knox for your secrets.

Manage secrets with encryption or cloud providers—or both! fnox gives you a unified interface to work with secrets across development, CI, and production.

# Install via mise (recommended)
mise use -g fnox

# Initialize in your project
fnox init

# Set a secret (encrypted by default)
fnox set DATABASE_URL "postgresql://localhost/mydb"

# Get a secret
fnox get DATABASE_URL

# Run commands with secrets loaded
fnox exec -- npm start

# Enable shell integration (auto-load on cd)
eval "$(fnox activate bash)"  # or zsh, fish

fnox lets you store secrets in two ways:

1. Encrypted in git - Using age, AWS KMS, Azure KMS, or GCP KMS
2. Remote in cloud - Using AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, 1Password, Bitwarden, Infisical, or HashiCorp Vault

Your fnox.toml config file either contains encrypted secrets or references to remote secrets. Use fnox exec to run commands with secrets loaded, or enable shell integration to auto-load secrets when you cd into a directory.

• age - Modern encryption (works with SSH keys!)
• aws-kms - AWS Key Management Service
• azure-kms - Azure Key Vault encryption
• gcp-kms - Google Cloud KMS

• aws-sm - AWS Secrets Manager
• azure-sm - Azure Key Vault Secrets
• gcp-sm - Google Cloud Secret Manager
• vault - HashiCorp Vault

• 1password - 1Password CLI
• bitwarden - Bitwarden/Vaultwarden
• infisical - Infisical secrets management

• keychain - OS Keychain (macOS/Windows/Linux)
• plain - Plain text (for defaults only!)

📚 Complete Documentation

• Installation
• Quick Start Guide
• How It Works
• Shell Integration
• Providers Overview
• Real-World Example

• Age Encryption - Simple, free, works with SSH keys
• AWS Secrets Manager - Centralized AWS secret management
• 1Password - Integrate with 1Password CLI
• Bitwarden - Open source password manager

View all providers →

• CLI Reference
• Environment Variables
• Configuration File

# fnox.toml

[providers]
age = { type = "age", recipients = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"] }

[secrets]
# Development secrets (encrypted in git)
DATABASE_URL = { provider = "age", value = "YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdC..." }  # ← encrypted, safe to commit
API_KEY = { default = "dev-key-12345" }  # ← plain default for local dev

[profiles.production.providers]
aws = { type = "aws-sm", region = "us-east-1", prefix = "myapp/" }

[profiles.production.secrets]
DATABASE_URL = { provider = "aws", value = "database-url" }  # ← reference to AWS secret

# Development (uses encrypted secrets)
fnox exec -- npm start

# Production (uses AWS Secrets Manager)
fnox exec --profile production -- ./deploy.sh

• Flexible - Mix and match encryption and cloud providers
• Team-friendly - Encrypted secrets in git, everyone can decrypt
• Multi-environment - Different providers for dev, staging, prod
• Shell integration - Auto-load secrets on directory change
• Developer-focused - Simple config, powerful features
• No vendor lock-in - Switch providers anytime

mise use -g fnox

cargo install fnox

git clone https://github.com/jdx/fnox
cd fnox
cargo install --path .

See CLAUDE.md for development guidelines.

# Build
mise run build

# Run tests
mise run test

# Run specific tests
mise run test:cargo
mise run test:bats

# Lint
mise run lint

# Full CI check
mise run ci

MIT License - see LICENSE for details.

• Documentation
• GitHub Repository
• Issue Tracker
• mise - Recommended installation method