When doing local development, I have to export a token needed for downloading dependencies from a private repository. For example:
export NPM_TOKEN=token_value
I want to make sure that this token is not stored in the shell history (that's an easy part, I don't ask about that) and that it comes from a secure place, without a need to type it).
What are the best practices for keeping and retrieving such secrets on a local machine?
One option is to use profile, the system wide (normally /etc/profile) or the private one (~/.profile). Add your variable there. It will be visible to your processes, but will not be present in the history.
Another option is to use a shell script. In this script export the variable you need, then start the process from this scrip. The process will see all the variables set in this script. But in the shell history it will not be present.
There can be other options.
Keep in mind, that despite the variable is not present in the shell history, it is visible in the details of the running process. Any user or process with corresponding permissions will be able to read it.
