Credential files are a good, simple, portable option. Files have permissions already. They don't depend on an external service or a proprietary API.
And, if your program accepts a credential file, it will be compatible with systemd credentials. systemd credentials offer more security than an unencrypted credential file. They are encrypted and can be TPM-bound, but they don't require the software using the credential to have native TPM support.
I like it when programs have a way to specify a command to retrieve secrets.
mbsync (https://isync.sourceforge.io/mbsync.html) e.g. has afaik 3 options to provide a password for IMAP authentication:
If you don't configure a password, you'll be prompted on execution.
You can also put the plain text password in the configuration (impractical if you want to share your configuration).
But there is also a configuration option to provide a command to retrieve the password.
That way you can delegate the password handling to another program, e.g. a password manager like pass(1) (https://www.passwordstore.org/) or some interactive graphical prompt.
A secrets management service would be most convenient. Documentation makes them easy to set up without having to build anything extra yourself. A secrets manager like Doppler (https://Doppler.com) or AWS Secrets Manager (https://aws.amazon.com/secrets-manager/) has the advantage of protecting your secrets in a secure place and the advantage of minimizing exposure of those secrets - even to your own developers. That way, you don't end up with a data breach that could have easily been avoided. These types of leaks can cost companies everything and are becoming way more common.
> Secrets should only be accepted via credential files, pipes, AF_UNIX sockets, secret management services, or another IPC mechanism.
Which one of these is the most convenient and portable to use?
Do you use secret management services for work only, or do you use them in your personal projects too?