Support storing and retrieving the API key in a secure manner

[luckman212]

Currently, the API key is stored in the config file. The only way to "protect" it is to use file permissions, full disk encryption etc. But most people will not do that, so I think other methods should be offered.

Options:

• Store the key encrypted & prompt for a decryption password (Py cryptography module, gpg etc)
• Pull from Password Manager e.g. 1Password, Bitwarden
• Store in Keychain (macOS only)

Open to other ideas...

[bruceoberg]

a simple way to sidestep this would be to allow for a "get api key from this file" option in the config. this would let you, for example, have a config file checked into git but have the api key in a file that is not checked in.

i'm coming from the nixos world where tools like sops and age are used to keep secrets secret. in these systems, the crucial feature a package can provide is a way to load a secret from a file. encrypted secrets can then be checked into the repo, but only trusted destinations are able to decrypt them.

hell, i might make a PR for this.