You can load environment variables from a password-protected file using the "pass" utility.
Install the relevant packages:
sudo apt install pass pinentry-tty
Generate a GPG key if you haven't already:
gpg --quick-gen-key userid
Press Enter to continue, and then type in your passphrase twice
Configure the passphrase entry as terminal (TTY):
echo pinentry-program /usr/bin/pinentry-tty >> ~/.gnupg/gpg-agent.conf
Initialize keystore for the first time:
pass init userid
Enter the passphrase to confirm.
Stored secrets are called "passwords". They have a name and a secret value Most characters are legal for the secret_name. (i.e. domain.xyz/api_token) .
pass insert secret_name
Enter the secret value (aka password), and re-enter to confirm the value.
Secrets are output using "pass show".
pass show secret_name
Example setting an environment variable to a secret:
export CF_API_TOKEN=$(pass show secret_name)
This could be configured in a bash function.
Passphrase is memorized for 10 minutes by default, after which you will be prompted the next time you use pass.