# Providers Overview
fnox supports multiple secret storage and encryption providers. Choose the ones that fit your workflow.
## Provider Categories
### 🔐 Encryption (secrets in git, encrypted)
Store encrypted secrets in your `fnox.toml` file. The encrypted ciphertext is safe to commit to version control.
| [age](/providers/age) | Modern encryption (works with SSH keys!) | Development secrets, open source projects |
| [AWS KMS](/providers/aws-kms) | AWS Key Management Service | AWS-based projects requiring IAM control |
| [Azure KMS](/providers/azure-kms) | Azure Key Vault encryption | Azure-based projects |
| [GCP KMS](/providers/gcp-kms) | Google Cloud KMS | GCP-based projects |
### ☁️ Cloud Secret Storage (remote, centralized)
Store secrets remotely in cloud providers. Your `fnox.toml` contains only references to secret names.
| [AWS Parameter Store](/providers/aws-ps) | AWS SSM Parameter Store | Config values, simple secrets |
| [AWS Secrets Manager](/providers/aws-sm) | AWS centralized secrets | Production AWS workloads |
| [Azure Key Vault Secrets](/providers/azure-sm) | Azure secret storage | Production Azure workloads |
| [GCP Secret Manager](/providers/gcp-sm) | Google Cloud secrets | Production GCP workloads |
| [Bitwarden Secrets Manager](/providers/bitwarden-sm) | Bitwarden Secrets Manager (bws CLI) | Teams using Bitwarden for DevOps secrets |
| [Doppler](/providers/doppler) | Doppler secrets manager | Developer-friendly cloud secrets |
| [FOKS](/providers/foks) | End-to-end encrypted, federated KV | Self-hosted, E2EE, team-shared secrets |
| [HashiCorp Vault](/providers/vault) | Self-hosted or HCP Vault | Multi-cloud, advanced features |
### 🔑 Password Managers & Secret Services
Integrate with password managers and secret services you already use.
| [1Password](/providers/1password) | 1Password CLI integration | Teams already using 1Password |
| [Bitwarden](/providers/bitwarden) | Bitwarden/Vaultwarden | Open source preference, self-hosting |
| [Infisical](/providers/infisical) | Infisical secrets | Modern secret management, open source |
### 💻 Local Storage
Store secrets locally on your machine.
| [OS Keychain](/providers/keychain) | macOS/Windows/Linux credential stores | Local development, personal projects |
| [KeePass](/providers/keepass) | KeePass database files (.kdbx) | Offline use, KeePassXC users |
| [password-store](/providers/password-store) | GPG-encrypted local password store | CLI users, git-based sync, Unix systems |
| [Plain](/providers/plain) | Plaintext (default values only) | Non-sensitive defaults |
## Mixing Providers
You can use multiple providers in the same project:
```toml
# Age for development
[providers]
age = { type = "age", recipients = ["age1..."] }
aws = { type = "aws-sm", region = "us-east-1" }
# Development secrets (encrypted in git)
[secrets]
DATABASE_URL = { provider = "age", value = "encrypted..." }
# Production secrets (in AWS)
[profiles.production.secrets]
DATABASE_URL = { provider = "aws", value = "database-url" }
```
## Feature Comparison
| Offline | ✅ | ❌ | ❌ | ❌ | ❌ |
| In Git | ✅ | ✅ | ❌ | ❌ | ❌ |
| Free | ✅ | 💰 | 💰 | 💰 | ✅\* |
| Audit Logs | ❌ | ✅ | ✅ | ✅ | ✅ |
| Access Control | ❌ | ✅ | ✅ | ✅ | ✅ |
| Rotation | Manual | Manual | ✅ | Manual | ✅ |
| Team-Friendly | ✅ | ✅ | ✅ | ✅ | ✅ |
\*Self-hosted Vault is free, HCP Vault is paid
## Next Steps
Choose a provider and get started:
- [Age Encryption](/providers/age) - Simple, free, works with SSH keys
- [AWS Parameter Store](/providers/aws-ps) - Simple, cost-effective AWS secret storage
- [AWS Secrets Manager](/providers/aws-sm) - For AWS production workloads with rotation
- [1Password](/providers/1password) - Leverage existing 1Password setup
- [Complete Example](/guide/real-world-example) - See providers in action