[psandor]

You should never store unencrypted secrets, like this export file, on an unencrypted disk. Not even temporarily. Instead, create a small encrypted drive on a pendrive or as a file with LUKS or Veracrypt, mount it, and save the file _directly_ there.

[lloydatkinson]

I imagine that’s why the post talks about PGP encrypting the file?

[granddave]

Yes, that's correct. The script takes the output from bw-cli and pipes it directly (sort of since we also store it in a variable to calculate the number of rows) to gpg which then encrypts it.

The only secret we have in plain text here is the API token for Todoist which I'm OK with. It's always the balance between security and comfort.