fnox-providers

# Fnox - Providers

Configuring encryption and secret storage providers in Fnox for secure secrets management.

## Provider Types

Fnox supports three categories of providers:

1. **Encryption** - Local encryption (age, AWS KMS, Azure, GCP)
2. **Cloud Storage** - Remote secret storage (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Vault)
3. **Password Managers** - Integration with password managers (1Password, Bitwarden, Infisical, pass)

## Age Encryption (Recommended)

### Setup Age Provider

```bash
# Generate age key pair
age-keygen -o ~/.config/fnox/keys/identity.txt

# Get public key
cat ~/.config/fnox/keys/identity.txt | grep "public key"
# age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
```

### Configure Age in fnox.toml

```toml
# fnox.toml (committed)
[providers.age]
type = "age"
public_keys = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"]

# fnox.local.toml (gitignored)
[providers.age]
identity = "~/.config/fnox/keys/identity.txt"
```

### Store Secrets with Age

```bash
# Set encrypted secret
fnox set DATABASE_PASSWORD
# Prompts for value, encrypts with age public key

# Set from command
echo "secret-value" | fnox set API_KEY --provider age
```

### Team Setup with Age

```toml
# Multiple recipients for team access
[providers.age]
type = "age"
public_keys = [
  "age1ql3z...",  # Alice
  "age1qw4r...",  # Bob
  "age1qx5t...",  # CI/CD
]
```

## AWS Secrets Manager

### Configure AWS Secrets Manager

```toml
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# Optional: profile = "production"
```

### Store Secrets in AWS

```bash
# Reference AWS secret
fnox set DATABASE_URL --provider aws-sm
# Enter: prod/database-url (AWS secret name)
```

### AWS Secrets Manager Configuration

```toml
[secrets]
DATABASE_URL = {
  provider = "aws-sm",
  value = "prod/database-url",
  description = "Production database connection string"
}

API_KEY = {
  provider = "aws-sm",
  value = "prod/api-key"
}
```

## AWS KMS En