I have many scripts in my $PATH. Bash and ruby executable files.

Some of these make api calls and need the api keys and secret tokens to get me the data.

But I can’t embed them in the script files because I check-in these scripts. To github and to some external places too.

I don’t want these secrets to end up in those places.

So I need a programmatic way to store and access these secrets in the scripts.

Enter secret-tool. This was already present in my arch linux distribution. If it’s not there in yours, you can install it.

It has a simple api to store and retrieve the secrets.

  • First, you store a secret in the terminal using secret-tool store command:
secret-tool store --label "my XYZ api key" type xyz_api

After pressing enter, it will ask for Password:.
Type/paste it without quotes or newline.

Now the password is saved in the secret-tool.

You can now retrieve it from the terminal command-line with the secret-tool lookup command:

secret-tool lookup type xyz_api

The secret will be printed in the standard output.

  • You can use this same command in your scripts to now retrieve the secrets safely without explicitly mentioning them:

In bash:

api_key="$(secret-tool lookup type xyz_api)"
echo $api_key

In ruby:

api_key = `secret-tool lookup type xyz_api`
p $api_key

Docs