I am doubling a little bit as a DevOps in the company where I am now. Recently I showed them the 12 factor app standard, that specifies you should not have your ENV, config and passwords inside your git repository together with your project - you should store them in a safe place instead.
Research
After some research we came across Vault however our team manager now thinks this is quite overkill and will soon become a monster.
Torus seemed a good alternative but the install page doesn’t even work, will be payed and it looks like it only runs for Node.
I also read this discussion but there is no definitive answer:
Currently smaller projects get deployed via anisble, secrets stored in ansible-vault (which is not the same as hashicorp vault!). These get written to a file as environment variables (which the systemd unit reads) and then that’s restricted via file system permissions (only root and application user can read the file). It’s not perfect, but does give you good starting point before heading to things like hashicorp Vault imho
Using ansible-vault is a good starting point, but if you have more than a few secrets, or need to generate things like certs for inter-service TLS, I’d recommend the investment in Hashicorp Vault. It really is invaluable, especially when coupled with something like envconsul.
If you stick with ansible-vault, I’ve found this to be helpful. Otherwise, it is easy to forget where vaulted vars are, and grep does you no good since they are encrypted at rest. Be sure to keep those refs close to where the actual vaulted vars are.
Mozilla Sops is a nice tool. Encrypted secrets stored in YAML/JSON, keys in plaintext, values encrypted with one or more of AWS KMS, GCP KMS, Azure Key Vault, PGP. Encrypted datafile can be checked into the repo. Supports diffing.
I currently run Metamorphic with Render, similar to Heroku, so the 12 factor method also works really well. Render also allows you to have environment groups and files in addition to your environment variables.
That can be incredibly nice for organization and quickly scoping secrets across services.