Agent skill
fnox-providers
Use when configuring Fnox providers for encryption and secret storage. Covers age encryption, cloud providers (AWS, Azure, GCP), and password managers.
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/devops/fnox-providers
SKILL.md
Fnox - Providers
Configuring encryption and secret storage providers in Fnox for secure secrets management.
Provider Types
Fnox supports three categories of providers:
- Encryption - Local encryption (age, AWS KMS, Azure, GCP)
- Cloud Storage - Remote secret storage (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Vault)
- Password Managers - Integration with password managers (1Password, Bitwarden, Infisical, pass)
Age Encryption (Recommended)
Setup Age Provider
bash
# Generate age key pair
age-keygen -o ~/.config/fnox/keys/identity.txt
# Get public key
cat ~/.config/fnox/keys/identity.txt | grep "public key"
# age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
Configure Age in fnox.toml
toml
# fnox.toml (committed)
[providers.age]
type = "age"
public_keys = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"]
# fnox.local.toml (gitignored)
[providers.age]
identity = "~/.config/fnox/keys/identity.txt"
Store Secrets with Age
bash
# Set encrypted secret
fnox set DATABASE_PASSWORD
# Prompts for value, encrypts with age public key
# Set from command
echo "secret-value" | fnox set API_KEY --provider age
Team Setup with Age
toml
# Multiple recipients for team access
[providers.age]
type = "age"
public_keys = [
"age1ql3z...", # Alice
"age1qw4r...", # Bob
"age1qx5t...", # CI/CD
]
AWS Secrets Manager
Configure AWS Secrets Manager
toml
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# Optional: profile = "production"
Store Secrets in AWS
bash
# Reference AWS secret
fnox set DATABASE_URL --provider aws-sm
# Enter: prod/database-url (AWS secret name)
AWS Secrets Manager Configuration
toml
[secrets]
DATABASE_URL = {
provider = "aws-sm",
value = "prod/database-url",
description = "Production database connection string"
}
API_KEY = {
provider = "aws-sm",
value = "prod/api-key"
}
AWS KMS Encryption
Configure AWS KMS
toml
[providers.kms]
type = "aws-kms"
key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
region = "us-east-1"
Use AWS KMS
bash
# Encrypt with KMS
fnox set SECRET_KEY --provider kms
Azure Key Vault
Configure Azure
toml
[providers.azure]
type = "azure-kv"
vault_url = "https://my-vault.vault.azure.net"
# Authentication via Azure CLI or environment variables
Azure Secrets
toml
[secrets]
DATABASE_PASSWORD = {
provider = "azure",
value = "database-password",
description = "Azure Key Vault secret name"
}
GCP Secret Manager
Configure GCP
toml
[providers.gcp]
type = "gcp-sm"
project_id = "my-project"
# Authentication via gcloud or service account
GCP Secrets
toml
[secrets]
API_KEY = {
provider = "gcp",
value = "projects/my-project/secrets/api-key/versions/latest"
}
HashiCorp Vault
Configure Vault
toml
[providers.vault]
type = "vault"
address = "https://vault.example.com"
token = { env = "VAULT_TOKEN" } # From environment
Vault Secrets
toml
[secrets]
DATABASE_URL = {
provider = "vault",
value = "secret/data/prod/database-url"
}
1Password
Configure 1Password
toml
[providers.onepassword]
type = "1password"
# Requires 1Password CLI (op) installed
1Password References
toml
[secrets]
API_KEY = {
provider = "onepassword",
value = "op://Production/API Keys/api-key"
}
DATABASE_PASSWORD = {
provider = "onepassword",
value = "op://Production/Database/password"
}
Bitwarden
Configure Bitwarden
toml
[providers.bitwarden]
type = "bitwarden"
# Requires Bitwarden CLI (bw) installed and unlocked
Bitwarden Secrets
toml
[secrets]
STRIPE_KEY = {
provider = "bitwarden",
value = "item-id/field-name"
}
Provider Testing
Test Provider Configuration
bash
# Test specific provider
fnox provider test age
fnox provider test aws-sm
# List configured providers
fnox provider list
# Add provider interactively
fnox provider add
# Remove provider
fnox provider remove age
Best Practices
Choose the Right Provider
toml
# Development: age (simple, local encryption)
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
# Production: Cloud secret manager
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# Team collaboration: 1Password or Bitwarden
[providers.onepassword]
type = "1password"
Use Multiple Providers
toml
# Different providers for different secrets
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
[secrets]
# Development secrets with age
DEV_API_KEY = { provider = "age", value = "age[...]" }
# Production secrets with AWS
PROD_DATABASE_URL = { provider = "aws-sm", value = "prod/db-url" }
Provider Aliases
toml
# Name providers descriptively
[providers.prod-secrets]
type = "aws-sm"
region = "us-east-1"
[providers.staging-secrets]
type = "aws-sm"
region = "us-west-2"
[secrets]
DATABASE_URL = { provider = "prod-secrets", value = "prod/db" }
Common Patterns
Development to Production Migration
toml
# fnox.toml (development)
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
[secrets]
DATABASE_URL = { provider = "age", value = "age[...]" }
# fnox.production.toml
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
[secrets]
DATABASE_URL = { provider = "aws-sm", value = "prod/database-url" }
Multi-Region Setup
toml
[providers.us-secrets]
type = "aws-sm"
region = "us-east-1"
[providers.eu-secrets]
type = "aws-sm"
region = "eu-west-1"
[secrets]
US_API_ENDPOINT = { provider = "us-secrets", value = "us/api-endpoint" }
EU_API_ENDPOINT = { provider = "eu-secrets", value = "eu/api-endpoint" }
Hybrid Approach
toml
# Development secrets: age encryption
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
# Shared team secrets: 1Password
[providers.team]
type = "1password"
# Production secrets: AWS
[providers.prod]
type = "aws-sm"
region = "us-east-1"
[secrets]
DEV_DATABASE_URL = { provider = "age", value = "age[...]" }
TEAM_SLACK_WEBHOOK = { provider = "team", value = "op://Team/Slack/webhook" }
PROD_DATABASE_URL = { provider = "prod", value = "prod/db-url" }
Anti-Patterns
Don't Hardcode Credentials
toml
# Bad: Hardcoded credentials
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
access_key_id = "AKIAIOSFODNN7EXAMPLE" # NEVER DO THIS
secret_access_key = "wJalrXUtnFEMI/..." # NEVER DO THIS
# Good: Use AWS credentials chain
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# Credentials from ~/.aws/credentials or environment
Don't Mix Provider Types Unnecessarily
toml
# Bad: Too many providers for simple project
[providers.age]
type = "age"
[providers.aws-sm]
type = "aws-sm"
[providers.azure]
type = "azure-kv"
[providers.gcp]
type = "gcp-sm"
# Good: Choose one appropriate provider
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
Don't Share Private Keys
toml
# Bad: Private key in config
[providers.age]
identity = "AGE-SECRET-KEY-..." # NEVER COMMIT THIS
# Good: Reference external file
[providers.age]
identity = "~/.config/fnox/keys/identity.txt" # Gitignored
Provider-Specific Features
Age: Multiple Recipients
toml
[providers.age]
type = "age"
public_keys = [
"age1ql3z...", # Team member 1
"age1qw4r...", # Team member 2
"age1qx5t...", # CI/CD system
]
AWS: Cross-Account Access
toml
[providers.shared-secrets]
type = "aws-sm"
region = "us-east-1"
role_arn = "arn:aws:iam::123456789012:role/CrossAccountSecretsRole"
Vault: Namespace Support
toml
[providers.vault-prod]
type = "vault"
address = "https://vault.example.com"
namespace = "production"
token = { env = "VAULT_TOKEN" }
Related Skills
- configuration: Managing fnox.toml structure and secrets
- security-best-practices: Security guidelines for providers
Didn't find tool you were looking for?