zsh-osx-keychain

OSX keychain utilities for secure environment vars

So you have some values you need in your shell, but you know you shouldn't keep then in plaintext on disk.

Usage

Set a variable

set-keychain-environment-variable MY_SECRET_ENV

You will be prompted for the value (and a confirmation)

password data for new item:
retype password for new item:

Read a variable

To just see the value

keychain-environment-variable MY_SECRET_ENV

The function prints the value to stdout

mysecret

To assign to a variable

MYVAR=$(keychain-environment-variable MY_SECRET_ENV)

You can do this as an export in your .zshrc, but it's not as recommended, since those stick around as plaintext in your env. It is better to create an alias or function wrapper for your use cases that need these secrets.

Remove a variable

delete-keychain-environment-variable MY_SECRET_ENV

Installation

oh-my-zsh

cd ~/.oh-my-zsh/custom/plugins (you may have to create the folder)
git clone https://github.com/onyxraven/zsh-osx-keychain.git
In your .zshrc, add zsh-osx-keychain to your oh-my-zsh plugins:

plugins=(
  # [...snip...]
  zsh-osx-keychain
)

restart your shell

zgen

add zgen load onyxraven/zsh-osx-keychain to your '!saved/save' block
zgen update
restart your shell

zinit

Use it like other oh-my-zsh plugins.

zinit snippet https://github.com/onyxraven/zsh-osx-keychain/blob/main/zsh-osx-keychain.plugin.zsh

How it works

OSX is able to programmatically access keychain values using the security command. You can also see these keychain items (on your default keychain) via Keychain Access.app

Inspiration / Source

The commands here were copied pretty closely from this gist, with some explanation in this blog post