[Jakob]

As middle ground for small scripts I like implementations like the one from 1Password: The environment variables contain the path to the secret:

export DB_PASSWORD="op://app-prod/db/password"

Calling the script with `op run scriptname` replaces the secret path with the actual secret after authentication during runtime.

This way you can commit the file but people still can use their own passwords locally without saving them in plaintext.

[thomascountz]

For Mac, I use `security set-generic-password` and `security find-generic-password` to manage secrets using Keychain.

Inspiration here: https://gist.github.com/bmhatfield/f613c10e360b4f27033761bbe...

Then you can use it like this:

export OPENAI_API_KEY=$(keychain-environment-variable OPENAI_API_KEY)

[ocodo]

as a cross platform alternative, I use pass (https://www.passwordstore.org)

    export OPEN_API_KEY=$(pass show open_api_key)

[mbrumlow]

You can also do some nice things with https://github.com/getsops/sops, I store encrypted password and secrets on git with sops, but I also use nix so I have near perfect integration with my services.

[mynameisvlad]

I use `age` and `agebox` (https://github.com/slok/agebox) but same idea. I set up pre-commit and post-pull hooks to encrypt and decrypt all the env files I use in docker compose.

[chasil]

Another exposure path is /proc. Everybody forgets about this.

  $ export DB_PASSWORD=foo
  $ sh
  sh-5.1$ cat /proc/self/environ
  SHELL=/bin/mksh DB_PASSWORD=foo