I have several directories on my Mac, two most popular examples are:
~/.aws
~/.ssh
They can be read by any script file or third-party app in system.
I do not see a way to protect them in macOS (and in Linux). Mechanisms to protect such directories exist: macOS blocks third-party access to files of iMessage, iMail and Contacts which are located under home dir.
The contents of these directories are very sensitive and secret and should not be even listed by any third-party app. ~/.ssh/config
file contains sensitive usernames and IP addresses, and must not be read without user authentication. I assume Terminal should actually ask for a password before it will be able to use a certain ssh configuration.
What are practical solutions for such hardening?
UPDATE
Logging in is not an authentication for sensitive data used one time a day to deploy a secure app update with private keys and signatures. This question is about hardening and making additional malware protection that works when user is logged in.
I am looking for the same security as gpg
protection by keychain, but without keychain.