Ask HN: How to avoid plain text secret files?

[surrTurr]

I use a password manager & its CLI to get rid of e.g. my plain text PATH variables & access secrets from scripts.

However I can't find a way to get rid of plain text secret files such as e.g. a kubeconfig file.

Is there a tool (MacOS) that can e.g. encrypt files and ask for a popup when a process tries to access it? Or some other solutions that helps me get rid of these plain text secret files.

[threecheese]

MacOS keychain functions are exposed via the “security “ command line tool. I use this in the terminal to push secrets into a new process’s environment when I don’t want them to persist in the terminal:

  > security find-generic-password -a "$USER" -s "PROJECT_OPENAI_API_KEY" -w

Ex:

  > export OPENAI_API_KEY=$(security find-generic-password -a "$USER" -s "PROJECT_OPENAI_API_KEY" -w) llm do-something-cool-thanks-simonw 

This will pop up a keychain access request (password/biometric prompt) and then inject $USER’s matching “application password” type secret into the child process environment.

Note you need to first give the calling app permissions to that secret into Keychain Access, otherwise you will get two password popups (one for the app, then one for the secret usage).

I have a function in my zshrc that wraps usage, to save typing.

[threecheese]

Hilariously, I skipped right over the part where you wrote about doing this lol.

[surrTurr]

yeah, I'm already doing this with my password manager 1Password

I'm still looking for a solution for secret plain text files

however, thanks for the tip - good to know it's also possible with plain macOS!

[surrTurr]

One solution I found so far, specifically for kubeconfig files: https://blog.mikael.green/post/1password-kubeconfig/

[surrTurr]

Update: F-Secure via DeepGuard allows defining "rules", which allow/deny file access for specific processes and files. Looks like a nice tool.

[sfmz]

https://www.privacyprotect.dev/ uses the webbrowsers' encryption libraries