I dunno I think I'd rather use bitwarden secrets to pull the current ones using systemd preexec and an access key in the service file which is root and 600.