How to harden secret security when passed to processes via files or environment variables?

Hello security fellows,

I'm looking for ways to securely pass secrets to processes. I wrote [Novops](https://github.com/PierreBeucher/novops), a secret and configuration tool fetching secrets from secret managers like Hashicorp Vault and passing them onto processes like Ansible or Terraform. These "client" processes expect secrets as files or environment variables (eg. [Ansible `ANSIBLE_VAULT_PASSWORD_FILE`](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#envvar-ANSIBLE_VAULT_PASSWORD_FILE)).

Novops idea is to only keep secrets for as long as they're needed (instead of permanently storing them in git-ignored files, under `$HOME` directory or as CI variables) and …

cybersecurity directory environment files git hello home memory party processes protect secret secrets security third third-party under