fnox 1.25.1

A flexible secret management tool supporting multiple providers and encryption methods
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

# HashiCorp Vault

HashiCorp Vault provides advanced secret management with dynamic secrets, leasing, and fine-grained access control.

## Prerequisites

- Vault server running (self-hosted or HCP Vault)
- Vault CLI installed
- Vault token with appropriate policies

## Installation

```bash
# macOS
brew install vault

# Linux
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vault
```

## Configuration

```toml
[providers]
vault = { type = "vault", path = "secret/myapp" } # address and token are optional
```

- **address**: (Optional) The Vault server address. Falls back to `FNOX_VAULT_ADDR` or `VAULT_ADDR`.
- **path**: (Required) The base path for secrets in Vault (e.g., `secret/myapp`).
- **token**: (Optional) Vault token. Falls back to `FNOX_VAULT_TOKEN` or `VAULT_TOKEN`.

## Setup

### 1. Configure Vault Access

```bash
# Set Vault address
export VAULT_ADDR="https://vault.example.com:8200"

# Login and get token
vault login -method=userpass username=myuser

# Or export existing token
export VAULT_TOKEN="hvs.CAESIJ..."
```

### 2. Create Policy

```hcl
# policy.hcl
path "secret/data/myapp/*" {
  capabilities = ["read"]
}

path "secret/metadata/myapp/*" {
  capabilities = ["list"]
}
```

```bash
vault policy write fnox-policy policy.hcl
```

### 3. Store Secrets in Vault

```bash
# KV v2 engine
vault kv put secret/myapp/database url="postgresql://prod.example.com/db"
vault kv put secret/myapp/api-key value="sk_live_abc123"
```

### 4. Reference in fnox

```toml
[secrets]
DATABASE_URL = { provider = "vault", value = "database/url" }  # → secret/myapp/database/url
API_KEY = { provider = "vault", value = "api-key/value" }  # → secret/myapp/api-key/value
```

## Usage

```bash
# Set token
export VAULT_TOKEN="hvs.CAESIJ..."

# Get secrets
fnox get DATABASE_URL

# Run commands
fnox exec -- ./app
```

## Pros

- ✅ Advanced features (dynamic secrets, leasing)
- ✅ Fine-grained access policies
- ✅ Audit logging
- ✅ Multi-cloud support
- ✅ Self-hosted option

## Cons

- ❌ Complex to set up and operate
- ❌ Requires Vault infrastructure
- ❌ Token management

## Next Steps

- [Vault Documentation](https://developer.hashicorp.com/vault/docs)
- [AWS Secrets Manager](/providers/aws-sm) - Simpler cloud alternative