[baronswindle]

I might be an idiot to ask this, but how is this different from the AWS CLI storing IAM keys in ~/.aws/credentials ?

[jbverschoor]

Or the private keys in ~/.ssh?

[javagram]

The private keys in .ssh can be stored encrypted. I do that, and store the decryption key in macOS keychain.

[poyu]

Can you share how to achieve this?

[simlevesque]

On linux, I use ssh-agent. My key at ~/.ssh/id_rsa is encrypted.

When my shell starts, it boots ssh-agent (add "eval `ssh-agent`" to your ~/.bashrc)

Still in the shell boot, it tries to add the ssh key to the keychain (add "ssh-add" to your ~/.bashrc), and it asks for my private key password. Once I enter the password, my key is unlocked for as long at ssh-agent is running (usually until I shut down my computer).

My password is a long, I only need to enter it once a day so it's not really a problem. You can add multiple keys to the ssh-agent (ssh-add mykey.pem). The private key must have these permissions: 0400 (chmod 0400 mykey.pem).

[imtringued]

I can already see the headline "ssh-agent desktop application stores private keys in plain text".

There is no solution to the problem of the author beyond demanding a password on every single interaction.

[javagram]

https://apple.stackexchange.com/a/250572

[msbarnett]

You almost certain should be storing your keys encrypted with a decent passphrase.

[macspoofing]

And if you want headless access this passphrase will be stored unencrypted. This is nothing more than security Kabuki theater.

[simlevesque]

Well, yeah, some keys must be unencrypted to be useful. But in a lot of cases you can and should encrypt your keys used to do manual stuff.

[asadlionpk]

In this scenario, wouldn't that mean the user will have to enter a passphrase on each Trello boot to be able to use it?

(ask for passphrase -> decrypt auth token -> Access API)

[simlevesque]

No, you use ssh-agent.

[msbarnett]

Indeed if you want to do something stupid, something stupid will be the result