This project is archived and no longer maintained.
After real-world usage, I concluded that the simplest alternative — storing secrets in
.zshenvwith.gitignore— is sufficient for personal development. Key reasons:
eval $(sekret env)doesn't work in non-interactive shells (e.g. AI coding assistants that spawn subshells)- The security benefit of OS keychain over a gitignored dotfile is marginal for single-developer use
- Team/shared secret management requires a fundamentally different architecture
The code remains available as a reference for Go CLI design, OS keychain integration, and Homebrew distribution. See Discussion #35 for the full retrospective.
Secure your API keys in OS keychain, load them as env vars. No more plaintext secrets in .zshrc.
Most developers store API keys as plaintext export statements in .zshrc or .env files. With the growing number of AI tools (Claude Code, Cursor, Aider, Gemini CLI, etc.), managing these keys securely becomes increasingly important.
sekret stores your keys in the OS keychain (macOS Keychain, GNOME Keyring) and loads them as environment variables — with zero change to your daily workflow.
brew install eazyhozy/sekret/sekretgo install github.com/eazyhozy/sekret@latest# Register your keys (env var name directly)
sekret add OPENAI_API_KEY
sekret add ANTHROPIC_API_KEY
# Or use built-in shorthands
sekret add openai # → OPENAI_API_KEY
sekret add anthropic # → ANTHROPIC_API_KEY
# Add to .zshrc (replace existing export statements)
echo 'eval "$(sekret env)"' >> ~/.zshrc
source ~/.zshrc
# Done. Everything works as before.# Detect plaintext keys in your shell config files
sekret scan
# Interactively migrate them to the keychain
sekret import| Command | Description |
|---|---|
sekret add <ENV_VAR> |
Register a new API key (interactive input) |
sekret list |
List registered keys (values are masked) |
sekret set <ENV_VAR> |
Update an existing key |
sekret remove <ENV_VAR> |
Remove a key (with confirmation) |
sekret env |
Output all keys as export statements |
sekret scan |
Detect plaintext API keys in shell config files |
sekret import |
Interactively migrate plaintext keys into sekret |
For common services, you can use shorthand names instead of full env var names:
| Shorthand | Env Variable | Key Prefix |
|---|---|---|
openai |
OPENAI_API_KEY |
sk- / sk-proj- |
anthropic |
ANTHROPIC_API_KEY |
sk-ant- |
gemini |
GEMINI_API_KEY |
AIza |
github |
GITHUB_TOKEN |
ghp_ / github_pat_ |
groq |
GROQ_API_KEY |
gsk_ |
For any other key, use the env var name directly:
sekret add MY_SERVICE_KEY- Key values are stored in the OS keychain via go-keyring (OS-level encryption)
- Metadata (registered env var list) is stored in
~/.config/sekret/config.json - Key values are never written to any file
- Key input is always interactive (never accepted as CLI arguments, protecting shell history)
sekret uses go-keyring to interface with the OS keychain:
| OS | Backend | Status |
|---|---|---|
| macOS | Keychain | Supported |
| Linux (Desktop) | GNOME Keyring / KWallet | Supported |
| Windows | Credential Manager | Planned (v0.3) |
| Linux (Headless) | — | Planned (v0.4) |