[tashian]

Hi, I'm one of the authors of CLI Guidelines.

See my post https://smallstep.com/blog/command-line-secrets/ for a bit more of a deep dive about using secrets on the command line.

Credential files are a good, simple, portable option. Files have permissions already. They don't depend on an external service or a proprietary API.

And, if your program accepts a credential file, it will be compatible with systemd credentials. systemd credentials offer more security than an unencrypted credential file. They are encrypted and can be TPM-bound, but they don't require the software using the credential to have native TPM support.

[cbm-vic-20]

It's probably a good idea to check the permissions of that file, too, and emit a warning or exit with an error if the they're too permissive.

[indymike]

A good example that all of us have seen is ssh. It does not run if permissions on certs are incorrect.

[n_plus_1_acc]

But it definitely could improve its error messages in this case.