This patch release fixes a security-relevant bug where fnox set silently stored secrets as plaintext when an encryption provider failed. It also adds custom endpoint support for all three AWS providers.
Fixed
fnox set now fails on encryption errors (#324) -- @jdx
Previously, fnox set caught encryption errors from any provider (age, AWS KMS, Azure KMS, GCP KMS, FIDO2, YubiKey) and silently fell back to storing the secret as plaintext. This meant a misconfigured or unreachable encryption provider would result in unencrypted secrets in your config file with only a warning in the logs.
Encryption failures are now hard errors -- fnox set will exit with a non-zero status and an error message instead of quietly storing plaintext.
Fixed Linux cross-compilation (#326) -- @jdx
Cross-compiled Linux builds (x86_64-unknown-linux-gnu and aarch64-unknown-linux-gnu) were failing due to a missing libudev-dev system dependency required by the hidapi crate. A Cross.toml configuration now ensures the dependency is installed in the cross-compilation Docker containers.
Added
Custom endpoint for AWS providers (#324) -- @jdx
The AWS KMS (aws-kms), Secrets Manager (aws-sm), and Parameter Store (aws-ps) providers now accept an optional endpoint field. This lets you point them at LocalStack, MinIO, or any other AWS-compatible API endpoint. Add it to your provider config like so:
[providers.kms]
type = "aws-kms"
key_id = "alias/my-key"
region = "us-east-1"
endpoint = "<your-custom-endpoint-url>"Breaking Changes
If you previously relied on fnox set silently falling back to plaintext when encryption failed, this behavior is removed. Encryption errors now cause the command to fail. Review any scripts or CI pipelines that call fnox set with encryption providers to ensure the provider is correctly configured and reachable.
Full Changelog: v1.16.0...v1.16.1