I always need to set critical environment variables on my Bash (API tokens), and of course, it’s a very bad idea to store them on .bashrc. I found a simple way to store them in an encrypted file loading it only when necessary:

1. Store critical variables under .bash_secure (you must export each variable).
2. Encrypt it with gpg -c .bash_secure.
3. Secure delete the clear text file with shred -u .bash_secure.
4. Load secured environment only when needed source <(gpg -q -d ~/.bash_secure.gpg)

Don’t put the load command into .bashrc because commands included in .bashrc must not emit output.