Keys are stored in a keyring. All keyring items are encrypted, using a password/salt derived key from authentication. This provides an important additional layer of protection on platforms such as Windows and Linux, where the underlying system keyring/crendentials are only secure at the user account level.
The github.com/keys-pub/keys/keyring package uses the following APIs:
The Keychain API via the github.com/keybase/go-keychain package.
The Windows Credential Manager API via the github.com/danieljoos/wincred package.
The Secret Service dbus interface via the github.com/zalando/go-keyring package. The Secret Service dbus interface, which is provided by GNOME Keyring.
There is a filesystem based keyring for other OS types that have no system keyring.