In that case I’ll also mention that Powershell has a secure-string that allows you to load secrets from encrypted file/user input. I believe it’s secured by the user’s login/session like secret-tool. They are even remain encrypted in memory so they can’t be snooped on.

Two more options you might consider:

• secret-tool - like a vault that unlocks when a user logs in to their session. This shifts the problem to keeping the user’s login credentials secure but depending on your setup that might be preferable. Just be aware the once unlocked any process could access the vault in theory (I wish they’d add access controls…)
• podman secrets - so you can securely provide secrets to containers. You can set these once securely then nothing except processes in the container can get them.

UK government has been taken over by WhatsApp and Twitter - our official inquiries have to beg for access to WhatsApp to see what’s going on in gov. Love to see them switch - they could have more control of data retention and promote innovation.