Turns out the pass command on your local Linux box can be used for a bunch of encryption-related things in addition to what most of us use it for: managing a user’s password.

One cool example is you can hide API keys from shoulder surfers (and history’s memory) by storing the key encrypted on disk and using pass to access it at runtime:

curl -H "API-Key: $(pass provider/api_key)" ...