secrets-yubikey-unlocklisted

Legacy-named Walter-OS guide for storing Infisical Machine Identity credentials in an OS credential store. Covers macOS Keychain, Linux Secret Service, pass+GPG, and optional hardware security keys. Use when the user asks how to auth Infisical from CLI, configure secrets bootstrap, set up keychain/keyring-backed secrets, or remove plaintext tokens from shell dotfiles.
Xipher-Labs/walter-os · ★ 5 · AI & Automation · score 67

Install: claude install-skill Xipher-Labs/walter-os

# Secrets Bootstrap With OS Credential Stores This skill keeps its original path for compatibility, but the policy is no longer YubiKey-first. Walter-OS requires an OS credential store plus an Infisical Machine Identity. Hardware security keys are optional hardening. ## Goal - No plaintext Walter-OS API secrets in `.zshrc`, `.zprofile`, `.env`, or personal dotfiles. - Store only the Infisical Machine Identity in a local credential store. - Fetch live secrets from Infisical into the current shell when needed. - Let operators choose their local unlock factor: Touch ID, login password, FIDO/security key, smartcard, Secret Service, or pass+GPG. ## Supported Stores | Platform | Store | Bootstrap | |---|---|---| | macOS | Keychain via `security` | `walter-os secrets-identity-init --store macos-keychain` | | Linux | Secret Service via `secret-tool` | `walter-os secrets-identity-init --store secret-service` | | Linux fallback | `pass` + GPG | `walter-os secrets-identity-init --store pass` | Default: ```bash walter-os secrets-identity-init --store auto ``` `auto` chooses macOS Keychain on Darwin. On Linux it chooses Secret Service when `secret-tool` exists, then `pass` when `pass` and `gpg` exist. ## Setup ### 1. Create an Infisical Machine Identity In the Infisical web UI: ```text Project -> Access Control -> Machine Identities -> Create Identity Auth method: Universal Auth Permissions: read-only on the required environment ``` Create one identity per device so a los