Comment by Hackbraten

I use `pass` on all my personal dev workstations and phone (because I happen to own YubiKeys/OpenPGP cards with my PGP key on them anyway; would probably use `age`/SOPS instead if I already hadn't committed to the PGP ecosystem).

If /usr/bin/bar wants a credential via a FOO_API_KEY environment variable, I create a /usr/local/bin/bar wrapper script like so:

    #!/bin/bash
    set -eu +x
    
    if [[ -z "${FOO_API_KEY:-}" ]]; then
      echo >&2 Decrypting FOO_API_KEY
      FOO_API_KEY="$(pass show bar/FOO_API_KEY)"
    fi

    export FOO_API_KEY
    exec /usr/bin/bar "$@"