I want to create a secret provisioning systems that on deployment decrypts secrets on the target machine and put them in RAM. They should be accessible as file so that services on the same machine can open them
On Linux there is a file-system called ramfs that will never be swapped out to disk. On macOS there seems to be only a ramdisk. Does this ramdisk get swapped to the disk by the operating system (which would put the secret data on disk)?
Best Answer
Since macOS High Sierra 10.13.x the virtual memory "swapfile(s)" have been encrypted even if FileVault2 disk encryption is off. Obviously, I would test that theory and review any CVE reports and validate it.
https://support.apple.com/guide/mac-help/what-is-secure-virtual-memory-on-mac-mh11852/mac
You might be scratching your left ear with your right hand roundabout the hard way. Consider creating an additional keychain and using that instead. It's far more secure and this is precisely what keychains are designed to accomplish. They secure secrets.
Developer API Docs: https://developer.apple.com/documentation/security
Command line (scripting): man security