fnox is a versatile secrets management tool designed to provide a secure and flexible interface for handling sensitive data across development, staging, and production environments. Created to solve the complexity of managing secrets in distributed and heterogeneous infrastructure, fnox allows users to centralize secret management while maintaining compatibility with existing workflows. The tool supports both secrets encrypted directly within version control, such as Git, and references to secrets stored in remote cloud services. By decoupling the storage location from the retrieval method, fnox enables developers to switch providers or environments without needing to modify application code.

Functionality of the tool revolves around a centralized TOML configuration file, typically named fnox.toml. This file acts as the single source of truth for the project, either storing encrypted ciphertexts that are safe to commit to version control or pointing to keys in remote secret managers like AWS Secrets Manager or HashiCorp Vault. When executed, fnox resolves these values based on the active profile, ensuring that the correct secrets are injected into the environment at runtime, whether for local execution or continuous integration pipelines.

Some of the key features are:

• Flexible Storage: Support for encrypted inline secrets in git and remote references to cloud-managed secrets.
• Provider Support: Integration with diverse providers including Age, AWS KMS, Azure Key Vault, Google Cloud KMS, 1Password, Bitwarden, HashiCorp Vault, and more.
• Shell Integration: Automatically injects secrets into the shell environment when changing directories into a project folder.
• Multi-Environment Profiles: Simplifies configuration management for different lifecycle stages by allowing secrets to be grouped into profiles like dev, staging, and production.
• Hierarchical Config: Allows parent directories to contain shared secrets that are automatically merged with directory-specific configurations.
• Command Execution: Provides a unified interface to execute commands with pre-loaded secrets via the exec subcommand.
• Developer Experience: A simple, CLI-first design that works offline for encrypted secrets and integrates seamlessly with common development tools.
• Extensible Architecture: Allows users to add or remove providers and test configurations using built-in diagnostic and testing utilities.

Operationally, fnox is designed to be highly accessible through its command-line interface. Users initialize the configuration in their project directory, which can then be edited to define providers and secrets. For encrypted secrets, the tool utilizes public-key infrastructure—such as age—to ensure that even if the repository is public, sensitive data remains protected. When the tool is activated, it performs a resolution check, decrypting values or fetching them from configured APIs before exposing them as standard environment variables for the child process.

Some common use cases include:

• Version-Controlled Secrets: Safely committing encrypted development secrets to a Git repository so all team members have access without exposing plaintext passwords.
• Cloud-Native Production Workflows: Referencing production secrets stored in managed services like AWS Secrets Manager or GCP Secret Manager directly within a local dev environment.
• CI/CD Security: Dynamically injecting production secrets into CI pipelines during deployment based on environment profiles.
• Local Credential Management: Leveraging local secret services like the OS Keychain or password-store to manage development database credentials or API keys.
• Multi-Cloud Secret Consolidation: Managing a project that uses services across multiple cloud providers by centralizing the retrieval logic inside a single fnox.toml file.