I think this might be more secure as the current method of accessing the keyring via CLI means any app that can shell out to the CLI the same way can also access the keyring. This method means the keyring values we write can only be opened silently by envelope.