How to avoid plain text secret files?

Question

I use a password manager & its CLI to get rid of e.g. my plain text PATH variables & access secrets from scripts.However I can't find a way to get rid of plain text secret files such as e.g. a kubeconfig file.Is there a tool (MacOS) that can e.g. encrypt files and ask for a popup when a process tries to access it? Or some other solutions that helps me get rid of these plain text secret files.

threecheese · Accepted Answer

MacOS keychain functions are exposed via the “security “ command line tool. I use this in the terminal to push secrets into a new process’s environment when I don’t want them to persist in the terminal:

  > security find-generic-password -a "$USER" -s "PROJECT_OPENAI_API_KEY" -w

Ex:

  > export OPENAI_API_KEY=$(security find-generic-password -a "$USER" -s "PROJECT_OPENAI_API_KEY" -w) llm do-something-cool-thanks-simonw

This will pop up a keychain access request (password/biometric prompt) and then inject $USER’s matching “application password” type secret into the child process environment.

Note you need to first give the calling app permissions to that secret into Keychain Access, otherwise you will get two password popups (one for the app, then one for the secret usage).

I have a function in my zshrc that wraps usage, to save typing.

surrTurr · Answer

One solution I found so far, specifically for kubeconfig files: https://blog.mikael.green/post/1password-kubeconfig/

surrTurr · Answer

Update: F-Secure via DeepGuard allows defining "rules", which allow/deny file access for specific processes and files. Looks like a nice tool.

sfmz · Answer

https://www.privacyprotect.dev/ uses the webbrowsers' encryption libraries