We aren’t quite sorted enough to use hashi vault everywhere, so a few of our teams are using https://dotat.at/prog/regpg/ which is a wrapper around gpg that enormously simplifies key management, in a way that works well with a version control system. It has hooks to work with git and ansible, because that’s what we use, but the core functionality can work with other tools equally well.

You might also consider https://github.com/StackExchange/blackbox which does the same job in a similar way.