Where can I store an environental variable only for utilites or scripts that run as root?

I've tried using the gnome-keyring in a headless server, but have an error, so am back to envirnmental variables. https://unix.stackexchange.com/questions/690295/error-secret-tool-cannot-create-an-item-in-a-locked-collection

I tried using .env and .profile, but the latter is not called by Bash, but .bash_profile is used. Setting PATH variable in /etc/environment vs .profile

I'm not sure that will work for scripts or utilities when I'm not logged in running them, even though they run with root privs. For example, a cron.daily script that emails a report. I want to pass it $EMAIL, and also pass that variable other utilities like apticron, for security and ease of changing.

This answer suggests using an env var pointing to a config file, which I assume I could set ownership group and perms to. But is there a more conventional method? https://stackoverflow.com/a/26030125/4240654

EDIT: I just tested scripts after setting vars in .bashrc and they seem to work. Still testing utilities like Apticron... which it turns out doesnot accept a variable like EMAIL=$EMAIL in /etc/apticron/apticron.conf, probably because it is not running in the root ENV. Okay actually both of those work now after commenting out EMAIL="root" in /usr/lib/apticron/apticron.conf (which doesnt need to happen with using a plain text email, so that is inconsistent, and just for Apticron). Using a file and EMAIL=$(cat .env) still doesnt work with Apticron though.

Possible solutions:

• using GPG file:
• using pass: https://www.passwordstore.org/
• using a paid secrets service (would like to avoid)

The first two of those require opening a file or store, and leaving open on a server VM, which would be the same as using a limited access file like .env.

.bashrc is perm 644 by default, so readable by any other user, though the /root dir is 700 so not traversable? More importantly env vars even set just by root are accessible by all users.. probably because all child processes inherit parent env vars. Postfix stores its password in a separate file with 600 perms owned by root, and then hashes it for used in memory.

Here is what you should do:

1. open your terminal

2. execute sudo -s or su

3. execute cd ~/

4. execute nano .bashrc

5. then add your variables there, for example:

welcome_message="WELCOME!";
echo $welcome_message;

6. close and reopen the terminal

I think the best is to use a file with strict perms owned by root. I created a directory called .env, which used to be a file for setting env vars. So I have a file ~/.env/EMAIL that I can call with $(cat ~/.env/EMAIL) in scripts and works with Apticron. It just has one value in it: [email protected].

mkdir ~/.env && echo '[email protected]' >> ~/.env/EMAIL && chmod 600 ~/.env/EMAIL

Or to set 600 for all new files in .env/ use: mkdir ~/.env && sed -i 's/defaults\t/defaults,acl\t/' /etc/fstab && mount -o,remount / && setfacl -dm u::rw,g::x,o::x .env && chmod -x .env && echo '[email protected]' >> ~/.env/EMAIL