[mreinsch]

sniffing isn't the main issue I'm trying to avoid, it's accidental exposure. I.e. minimising the risk that during normal operations the secrets get exposed somehow.

[tezza]

Okay... sniffed accidentally then ( putting them in the wrong directory, not using fs permissions properly etc )

I would say that you should consider malicious sniffing too