What I want is a secure shell (somehow) where my env variables are encrypted and on access I get a prompt to either use a fingerprint reader or a password to unlock them for the process.

Anyone know of any such option? What I've come to use are separate env files that I source in various directories before running the commands that need crednetials, or a tool that decrypts a file, loads it into an subprocesses env vars and runs a program (something like mozilla/sops), but I still find that too cumbersome, I'd like it transparent and integrated with my shell.

aws-vault[0] does this, but only for aws creds

0 - https://github.com/99designs/aws-vault

Yeah this is a good tool, if annoying at times.

A better way would be to not allow user accounts to deploy anything in any sort of prod accounts, instead only allowing this to happen through CI.

Combining direnv with sops can be partial solution here.