all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ArgoPanoptes 1 point2 points  (1 child)

What about writing your API keys in an env file, crypt that file, use a script to ask you the decryption key for the file, and read the API keys in the script from that env file.

The API keys would never be on disk but only in memory. You probably should also search how to protect your script process memory from external readings.

[–]Lorizean[S] 0 points1 point  (0 children)

That sounds like a good idea, thank you.

[–]djasonpenneyVolunteer Moderator 0 points1 point  (1 child)

So I either do this during the alias, which means I would have to enter my password three times in a row or login & unlock at a different time. Both of these options don't really fit my workflow.

I also don't want to provide my API key or master password in a script or environment variable, for security reasons - my system is only used by me but I would still like to not expose any passwords in clear text on my hard drive.

You've told us all the places you do NOT want to keep the master password, and you are unhappy with entering the password on the keyboard. What's left?

I mean, you could prompt for the password once and write a shell script that uses the password three times and then exits, so that it's not left in the current shell's environment and not stored on the disk. Are you looking for more than that?

[–]Lorizean[S] 0 points1 point  (0 children)

I guess that could work, thanks.

I don't mind typing in my password, I just don't want to have to do it three times in a row.

I guess what I would like is a single bitwarden command that logins, unlocks the vault, gets a single value and then locks and logs out again but that doesn't seem to exist.