fnox 1.21.0

A flexible secret management tool supporting multiple providers and encryption methods
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272

# Import / Export

fnox can import secrets from various formats and export them for use in other tools.

## Import from Files

### From .env Files

```bash
# Import from .env file
fnox import -i .env

# Import and specify provider
fnox import -i .env --provider age
```

**Example .env file:**

```bash
DATABASE_URL=postgresql://localhost/mydb
API_KEY=sk_test_abc123
JWT_SECRET=super-secret-jwt-key
```

### From stdin

```bash
# Pipe from another source
cat .env | fnox import

# Using here-doc
fnox import << 'EOF'
DATABASE_URL=postgresql://localhost/mydb
API_KEY=sk_test_abc123
EOF
```

### From Different Formats

```bash
# JSON
fnox import -i secrets.json json

# YAML
fnox import -i secrets.yaml yaml

# TOML
fnox import -i secrets.toml toml
```

**Example secrets.json:**

```json
{
  "DATABASE_URL": "postgresql://localhost/mydb",
  "API_KEY": "sk_test_abc123"
}
```

**Example secrets.yaml:**

```yaml
DATABASE_URL: postgresql://localhost/mydb
API_KEY: sk_test_abc123
```

## Import Options

### With Provider

Encrypt secrets during import:

```bash
# Import and encrypt with age
fnox import -i .env --provider age

# Import and store in AWS Secrets Manager
fnox import -i .env --provider aws
```

### With Filters

Import only specific secrets:

```bash
# Import only secrets starting with "DATABASE_"
fnox import -i .env --filter "^DATABASE_"

# Import only API keys
fnox import -i .env --filter "^API_"
```

### With Prefix

Add a prefix to all imported secrets:

```bash
# Add "MYAPP_" prefix to all secrets
fnox import -i .env --prefix "MYAPP_"

# DATABASE_URL becomes MYAPP_DATABASE_URL
# API_KEY becomes MYAPP_API_KEY
```

### Combining Options

```bash
# Import DB secrets with encryption and prefix
fnox import -i .env \
  --filter "^DATABASE_" \
  --prefix "PROD_" \
  --provider age

# DATABASE_URL → PROD_DATABASE_URL (encrypted with age)
# DATABASE_PASSWORD → PROD_DATABASE_PASSWORD (encrypted with age)
```

## Export Secrets

### Export Formats

```bash
# Export as .env format (default)
fnox export

# Export as JSON
fnox export --format json

# Export as YAML
fnox export --format yaml

# Export as TOML
fnox export --format toml
```

### Save to File

```bash
# Export to file
fnox export > .env
fnox export --format json > secrets.json
fnox export --format yaml > secrets.yaml
fnox export --format toml > secrets.toml
```

### Export with Profile

```bash
# Export production secrets
fnox export --profile production > .env.production

# Export staging secrets as JSON
fnox export --profile staging --format json > staging.json
```

## Migration Workflows

### From .env to fnox with Encryption

```bash
# 1. Set up age provider
cat >> fnox.toml << 'EOF'
[providers.age]
type = "age"
recipients = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"]
EOF

# 2. Import and encrypt all secrets
fnox import -i .env --provider age

# 3. Remove .env file (secrets now encrypted in fnox.toml)
rm .env
```

### From fnox to .env (for legacy tools)

```bash
# Export current secrets to .env
fnox exec env | grep -v '^_' > .env

# Or use export command
fnox export > .env
```

### Between Providers

```bash
# 1. Export from AWS Secrets Manager
fnox export --profile production --format json > prod-secrets.json

# 2. Switch to age provider
cat >> fnox.toml << 'EOF'
[providers.age]
type = "age"
recipients = ["age1..."]
EOF

# 3. Re-import with new provider
fnox import -i prod-secrets.json json --provider age

# 4. Verify
fnox list
```

### Team Onboarding

```bash
# 1. Export example secrets (with dummy values)
fnox export --format json > secrets.example.json

# 2. Team member fills in real values
cp secrets.example.json secrets.json
# Edit secrets.json with real credentials

# 3. Import with encryption
fnox import -i secrets.json json --provider age

# 4. Delete plaintext file
rm secrets.json
```

## CI/CD Integration

### GitHub Actions Secrets → fnox

```yaml
# .github/workflows/setup-secrets.yml
jobs:
  setup:
    runs-on: ubuntu-latest
    steps:
      - name: Create secrets file
        env:
          DATABASE_URL: ${{ secrets.DATABASE_URL }}
          API_KEY: ${{ secrets.API_KEY }}
        run: |
          cat > secrets.env << EOF
          DATABASE_URL=$DATABASE_URL
          API_KEY=$API_KEY
          EOF

      - name: Import to fnox
        run: fnox import -i secrets.env --provider age
```

### fnox → Docker Compose

```bash
# Export for docker-compose
fnox export > .env

# Use in docker-compose.yml
# env_file:
#   - .env
```

### fnox → Kubernetes Secrets

```bash
# Export as YAML
fnox export --format yaml > secrets.yaml

# Create Kubernetes secret
kubectl create secret generic app-secrets \
  --from-env-file=<(fnox export)
```

## Next Steps

- [Providers](/providers/overview) - Choose providers for your secrets
- [Profiles](/guide/profiles) - Organize secrets by environment
- [Real-World Example](/guide/real-world-example) - Complete project setup