Funny you'd wrote a wrapper like that, too. I ended up making something in C that uses readpassphrase(3) [with -lbsd on Linux, but I haven't built it on a Linux machine in years] and zeroes the memory with explicit_bzero(3) as it goes out.
The keys come from a dedicated password manager that only stores TOTP secrets and the password manager wipes the clipboard.
All this happens on a physically separate machine.
The keys come from a dedicated password manager that only stores TOTP secrets and the password manager wipes the clipboard.
All this happens on a physically separate machine.