home / skills / thebushidocollective / han / providers

providers skill

needs review

/plugins/specialized/fnox/skills/providers

This skill helps you configure and manage Fnox providers for encryption, cloud secrets, and password managers across environments.

npx playbooks add skill thebushidocollective/han --skill providers

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

8.1 KB

---
name: fnox-providers
description: Use when configuring Fnox providers for encryption and secret storage. Covers age encryption, cloud providers (AWS, Azure, GCP), and password managers.
allowed-tools:
  - Read
  - Write
  - Edit
  - Bash
  - Grep
  - Glob
---

# Fnox - Providers

Configuring encryption and secret storage providers in Fnox for secure secrets management.

## Provider Types

Fnox supports three categories of providers:

1. **Encryption** - Local encryption (age, AWS KMS, Azure, GCP)
2. **Cloud Storage** - Remote secret storage (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Vault)
3. **Password Managers** - Integration with password managers (1Password, Bitwarden, Infisical, pass)

## Age Encryption (Recommended)

### Setup Age Provider

```bash
# Generate age key pair
age-keygen -o ~/.config/fnox/keys/identity.txt

# Get public key
cat ~/.config/fnox/keys/identity.txt | grep "public key"
# age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
```

### Configure Age in fnox.toml

```toml
# fnox.toml (committed)
[providers.age]
type = "age"
public_keys = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"]

# fnox.local.toml (gitignored)
[providers.age]
identity = "~/.config/fnox/keys/identity.txt"
```

### Store Secrets with Age

```bash
# Set encrypted secret
fnox set DATABASE_PASSWORD
# Prompts for value, encrypts with age public key

# Set from command
echo "secret-value" | fnox set API_KEY --provider age
```

### Team Setup with Age

```toml
# Multiple recipients for team access
[providers.age]
type = "age"
public_keys = [
  "age1ql3z...",  # Alice
  "age1qw4r...",  # Bob
  "age1qx5t...",  # CI/CD
]
```

## AWS Secrets Manager

### Configure AWS Secrets Manager

```toml
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# Optional: profile = "production"
```

### Store Secrets in AWS

```bash
# Reference AWS secret
fnox set DATABASE_URL --provider aws-sm
# Enter: prod/database-url (AWS secret name)
```

### AWS Secrets Manager Configuration

```toml
[secrets]
DATABASE_URL = {
  provider = "aws-sm",
  value = "prod/database-url",
  description = "Production database connection string"
}

API_KEY = {
  provider = "aws-sm",
  value = "prod/api-key"
}
```

## AWS KMS Encryption

### Configure AWS KMS

```toml
[providers.kms]
type = "aws-kms"
key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
region = "us-east-1"
```

### Use AWS KMS

```bash
# Encrypt with KMS
fnox set SECRET_KEY --provider kms
```

## Azure Key Vault

### Configure Azure

```toml
[providers.azure]
type = "azure-kv"
vault_url = "https://my-vault.vault.azure.net"
# Authentication via Azure CLI or environment variables
```

### Azure Secrets

```toml
[secrets]
DATABASE_PASSWORD = {
  provider = "azure",
  value = "database-password",
  description = "Azure Key Vault secret name"
}
```

## GCP Secret Manager

### Configure GCP

```toml
[providers.gcp]
type = "gcp-sm"
project_id = "my-project"
# Authentication via gcloud or service account
```

### GCP Secrets

```toml
[secrets]
API_KEY = {
  provider = "gcp",
  value = "projects/my-project/secrets/api-key/versions/latest"
}
```

## HashiCorp Vault

### Configure Vault

```toml
[providers.vault]
type = "vault"
address = "https://vault.example.com"
token = { env = "VAULT_TOKEN" }  # From environment
```

### Vault Secrets

```toml
[secrets]
DATABASE_URL = {
  provider = "vault",
  value = "secret/data/prod/database-url"
}
```

## 1Password

### Configure 1Password

```toml
[providers.onepassword]
type = "1password"
# Requires 1Password CLI (op) installed
```

### 1Password References

```toml
[secrets]
API_KEY = {
  provider = "onepassword",
  value = "op://Production/API Keys/api-key"
}

DATABASE_PASSWORD = {
  provider = "onepassword",
  value = "op://Production/Database/password"
}
```

## Bitwarden

### Configure Bitwarden

```toml
[providers.bitwarden]
type = "bitwarden"
# Requires Bitwarden CLI (bw) installed and unlocked
```

### Bitwarden Secrets

```toml
[secrets]
STRIPE_KEY = {
  provider = "bitwarden",
  value = "item-id/field-name"
}
```

## Provider Testing

### Test Provider Configuration

```bash
# Test specific provider
fnox provider test age
fnox provider test aws-sm

# List configured providers
fnox provider list

# Add provider interactively
fnox provider add

# Remove provider
fnox provider remove age
```

## Best Practices

### Choose the Right Provider

```toml
# Development: age (simple, local encryption)
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]

# Production: Cloud secret manager
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"

# Team collaboration: 1Password or Bitwarden
[providers.onepassword]
type = "1password"
```

### Use Multiple Providers

```toml
# Different providers for different secrets
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]

[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"

[secrets]
# Development secrets with age
DEV_API_KEY = { provider = "age", value = "age[...]" }

# Production secrets with AWS
PROD_DATABASE_URL = { provider = "aws-sm", value = "prod/db-url" }
```

### Provider Aliases

```toml
# Name providers descriptively
[providers.prod-secrets]
type = "aws-sm"
region = "us-east-1"

[providers.staging-secrets]
type = "aws-sm"
region = "us-west-2"

[secrets]
DATABASE_URL = { provider = "prod-secrets", value = "prod/db" }
```

## Common Patterns

### Development to Production Migration

```toml
# fnox.toml (development)
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]

[secrets]
DATABASE_URL = { provider = "age", value = "age[...]" }

# fnox.production.toml
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"

[secrets]
DATABASE_URL = { provider = "aws-sm", value = "prod/database-url" }
```

### Multi-Region Setup

```toml
[providers.us-secrets]
type = "aws-sm"
region = "us-east-1"

[providers.eu-secrets]
type = "aws-sm"
region = "eu-west-1"

[secrets]
US_API_ENDPOINT = { provider = "us-secrets", value = "us/api-endpoint" }
EU_API_ENDPOINT = { provider = "eu-secrets", value = "eu/api-endpoint" }
```

### Hybrid Approach

```toml
# Development secrets: age encryption
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]

# Shared team secrets: 1Password
[providers.team]
type = "1password"

# Production secrets: AWS
[providers.prod]
type = "aws-sm"
region = "us-east-1"

[secrets]
DEV_DATABASE_URL = { provider = "age", value = "age[...]" }
TEAM_SLACK_WEBHOOK = { provider = "team", value = "op://Team/Slack/webhook" }
PROD_DATABASE_URL = { provider = "prod", value = "prod/db-url" }
```

## Anti-Patterns

### Don't Hardcode Credentials

```toml
# Bad: Hardcoded credentials
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
access_key_id = "AKIAIOSFODNN7EXAMPLE"  # NEVER DO THIS
secret_access_key = "wJalrXUtnFEMI/..."  # NEVER DO THIS

# Good: Use AWS credentials chain
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# Credentials from ~/.aws/credentials or environment
```

### Don't Mix Provider Types Unnecessarily

```toml
# Bad: Too many providers for simple project
[providers.age]
type = "age"

[providers.aws-sm]
type = "aws-sm"

[providers.azure]
type = "azure-kv"

[providers.gcp]
type = "gcp-sm"

# Good: Choose one appropriate provider
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
```

### Don't Share Private Keys

```toml
# Bad: Private key in config
[providers.age]
identity = "AGE-SECRET-KEY-..."  # NEVER COMMIT THIS

# Good: Reference external file
[providers.age]
identity = "~/.config/fnox/keys/identity.txt"  # Gitignored
```

## Provider-Specific Features

### Age: Multiple Recipients

```toml
[providers.age]
type = "age"
public_keys = [
  "age1ql3z...",  # Team member 1
  "age1qw4r...",  # Team member 2
  "age1qx5t...",  # CI/CD system
]
```

### AWS: Cross-Account Access

```toml
[providers.shared-secrets]
type = "aws-sm"
region = "us-east-1"
role_arn = "arn:aws:iam::123456789012:role/CrossAccountSecretsRole"
```

### Vault: Namespace Support

```toml
[providers.vault-prod]
type = "vault"
address = "https://vault.example.com"
namespace = "production"
token = { env = "VAULT_TOKEN" }
```

## Related Skills

- **configuration**: Managing fnox.toml structure and secrets
- **security-best-practices**: Security guidelines for providers

Overview

This skill helps configure Fnox providers for encrypting and storing secrets across local and cloud backends. It documents provider types, example fnox.toml entries, and workflow commands so teams can secure secrets consistently. Use it to set up age encryption, cloud secret managers (AWS, Azure, GCP), Vault, and popular password managers.

How this skill works

The skill inspects provider configuration patterns and shows concrete fnox.toml snippets for each supported provider type. It explains how Fnox uses providers to encrypt values, reference remote secret names, and test or list providers with fnox CLI commands. It also covers common team and environment setups, provider aliases, and migration patterns between development and production.

When to use it

Initial project setup to pick encryption and storage backends
Onboard new team members to a secrets workflow
Migrate development secrets to production secret managers
Configure CI/CD to access secrets securely
Audit or test provider connectivity with fnox provider test/list

Best practices

Prefer age for local development and easy encrypted sharing via public keys
Use cloud secret managers (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) for production secrets
Never commit private keys or raw credentials; reference external identity files or environment variables
Name providers descriptively and use aliases for regions or environments
Keep different providers for dev/staging/prod to avoid accidental secret exposure

Example use cases

Set up age: generate an age keypair, commit public key to fnox.toml, keep identity file gitignored for local decryption
Configure AWS Secrets Manager for production and map fnox secrets to AWS secret names
Integrate 1Password or Bitwarden for team-shared credentials and reference items via op:// or item-id/field-name
Use Vault with token from environment and leverage namespaces for multi-tenant setups
Create multi-region AWS provider aliases and map endpoints per region for global services

FAQ

How do I share access with teammates using age?

Add each teammate's age public key to the providers.age.public_keys list so encrypted secrets can be decrypted by all recipients.

Can I use multiple providers for the same secret during migration?

Yes. Keep different fnox.toml profiles (development vs production) and use provider aliases so you can migrate a secret from age to a cloud manager without changing code.