I've been mucking around with the new CLI and it's pretty nice! I have some files sitting in my home folder that contain access tokens and the like that I set environment variables with to use in some Node.js applications I write, and was intrigued by the idea of replacing them with a dynamic call to
op so the tokens don't have to be sitting on there in plain text. So instead of
export API_KEY=<key> I could do an
eval $(op signin <address>) at the top of the script then do
export API_KEY=$(op get item '<item name>' --fields 'api key') and as soon as the terminal session is closed, that environment variable is gone. I made that change and it works a treat, except I see the secret key now lives in ~/.op/config` in plain text, which feels to me less appealing than having the individual API keys sitting that way, heh.
I see in the 1Password white paper that under macOS the secret key is stored in the macOS keychain, would it make sense to do that with the CLI as well? Or am I entirely misunderstanding the threat model for this and it's not really a concern at all? 😅 (I'm not any sort of security person, just someone with a vague interest).
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided