The safest way to store API keys locally (on your Mac)

Safest is layered. No single app replaces disk encryption, screen lock, Git hygiene, and not pasting keys into chat.

---

1. Layer 1 — Full-disk encryption (FileVault)

Encrypts data at rest when the Mac is off. Apple: FileVault.

---

2. Layer 2 — Session lock

Short delay before password after sleep — auto-lock.

---

3. Layer 3 — Encrypted vault + Keychain options

Store canonical API keys in PassStore:

• Vault encrypted at rest (AES-256-GCM, Argon2id wrapping — Security).
• Sensitive values can use Keychain Services — Keychain guide.

---

4. Layer 4 — Git and backup discipline

• Never commit keys — practical Git guide.
• Understand Time Machine / sync paths — why .env leaks.

---

5. Layer 5 — Scoped, rotatable keys

Test keys on laptop; separate prod in cloud stores — store safely.

---

6. What is not promised

Malware on an unlocked Mac, phishing, or you pasting a key into a public LLM chat — local encryption does not fix human exfiltration. PassStore’s Security page states this plainly.

---

Related

• Best macOS apps for managing API keys
• 1Password vs local secret manager
• Pillar: API key manager