We’ve been using 1Password CLI for this sort of thing. It works great cuz it uses Touch ID, has all the access controls you can provide, and syncing too.
I use OP + SOPS on my homelab. I have the age key stored in 1Password, I have a very simple one line call to op that fetches it in my zshrc that injects the age key into my env, then it’s available to execute sops whenever I need. I have to re auth on new terminal window periodically but the UX is pretty seamless
