Ask HN: How to avoid plain text secret files?
7 comments
MacOS keychain functions are exposed via the “security “ command line tool. I use this in the terminal to push secrets into a new process’s environment when I don’t want them to persist in the terminal:
Note you need to first give the calling app permissions to that secret into Keychain Access, otherwise you will get two password popups (one for the app, then one for the secret usage).
I have a function in my zshrc that wraps usage, to save typing.
> security find-generic-password -a "$USER" -s "PROJECT_OPENAI_API_KEY" -w
Ex: > export OPENAI_API_KEY=$(security find-generic-password -a "$USER" -s "PROJECT_OPENAI_API_KEY" -w) llm do-something-cool-thanks-simonw
This will pop up a keychain access request (password/biometric prompt) and then inject $USER’s matching “application password” type secret into the child process environment.Note you need to first give the calling app permissions to that secret into Keychain Access, otherwise you will get two password popups (one for the app, then one for the secret usage).
I have a function in my zshrc that wraps usage, to save typing.
Hilariously, I skipped right over the part where you wrote about doing this lol.
yeah, I'm already doing this with my password manager 1Password
I'm still looking for a solution for secret plain text files
however, thanks for the tip - good to know it's also possible with plain macOS!
I'm still looking for a solution for secret plain text files
however, thanks for the tip - good to know it's also possible with plain macOS!
Update: F-Secure via DeepGuard allows defining "rules", which allow/deny file access for specific processes and files. Looks like a nice tool.
One solution I found so far, specifically for kubeconfig files: https://blog.mikael.green/post/1password-kubeconfig/
https://www.privacyprotect.dev/ uses the webbrowsers' encryption libraries
However I can't find a way to get rid of plain text secret files such as e.g. a kubeconfig file.
Is there a tool (MacOS) that can e.g. encrypt files and ask for a popup when a process tries to access it? Or some other solutions that helps me get rid of these plain text secret files.