Where to store secrets on macOS securely
macOS already provides strong primitives. “Where to store secrets” is really which layer owns which material: disk encryption, OS secret store, app vaults, and your habits (Slack, Git, screenshots).
1. Layer stack (use more than one)
| Layer | Protects against |
|---|---|
| FileVault | Theft of powered-off laptop / disk imaging |
| Login password + Lock Screen | Casual physical access while away |
| Keychain Services | Plaintext secret files in project folders |
| Encrypted developer vault (e.g. PassStore) | Structured API keys with workspace UX (Security) |
| Screen sharing awareness | Social exfiltration |
Apple FileVault overview: Use FileVault
2. Keychain: great building block
Keychain stores Wi‑Fi passwords, certificates, and can back app-managed secrets. Raw CLI scripting with security scales poorly for dozens of dev keys — prefer a GUI vault that uses Keychain under the hood: macOS Keychain for developers.
3. iCloud Drive and Desktop/Documents sync
If your project (or .env) lives under iCloud-synced paths, assume additional copies exist in Apple’s ecosystem. Prefer non-synced locations for canonical secrets or use vault storage instead of plaintext.
4. Plaintext .env in ~/Projects
Acceptable only with eyes open — where to store .env, is .env safe?.
5. Screen recording and Universal Clipboard
- Screen capture tools may retain frames with terminal output.
- Universal Clipboard can sync clipboard to other devices — be careful after copying secrets; see copy env without mistakes.
6. Auto-lock and session hygiene
Short Require password after sleep/screensaver delays reduce walk-up risk. Deeper: auto-lock sensitive data on macOS.
7. Soft CTA
Pillar: Secret manager for macOS · Download PassStore