# Accessing Secrets safely in your Scripts


I have many scripts in my `$PATH`. Bash and ruby executable files.

Some of these make api calls and need the api keys and secret tokens to get me the data.

But I can't embed them in the script files because I check-in these scripts.
To github and to some external places too.

I don't want these secrets to end up in those places.

So I need a programmatic way to store and access these secrets in the scripts.

Enter `secret-tool`. This was already present in my arch linux distribution.
If it's not there in yours, you can install it.

It has a simple api to store and retrieve the secrets.

* First, you store a secret in the terminal using `secret-tool store` command:

```sh
secret-tool store --label "my XYZ api key" type xyz_api
```

After pressing enter, it will ask for `Password:`.  
Type/paste it without quotes or newline.

Now the password is saved in the `secret-tool`.

You can now retrieve it from the terminal command-line with the `secret-tool lookup` command:

```sh
secret-tool lookup type xyz_api
```

The secret will be printed in the standard output.

* You can use this same command in your scripts to now retrieve the secrets safely
without explicitly mentioning them:

In bash:
```sh
api_key="$(secret-tool lookup type xyz_api)"
echo $api_key
```

In ruby:
```rb
api_key = `secret-tool lookup type xyz_api`
p $api_key
```

### Docs
- [Arch wiki page](https://man.archlinux.org/man/core/libsecret/secret-tool.1.en) for secret-tool