Since dinosaurs roamed the earth I've used
hiera-eyaml to encrypt secrets
inside Puppet's Hiera data sources. Both the Puppetserver and operators use a
keypair to encrypt values in otherwise plaintext YAML files. These files are
safe to commit to SCM.
Recently I read an article comparing Vault to SOPS. Aside from the Vault critique it is a good introduction to cloud KMS, which I had never played with in isolation.
SOPS is pretty interesting. It supports a bunch of encryption methods including
age which I tend to use when previously
I get irritated by PGP instead.
Here though I'm more interested in using GCP KMS, since it brings strong authentication and authorization facilities to who can decrypt what. This addresses a weakeness of a 'static' backend - you can rotate the permitted keys but old ciphertext is still decryptable to previous key holders.
A single GCP KMS key and thousand operations on it is around ten cents a month. It definitely falls inside the "cloud services I'd use in isolation for non-cloud projects", like S3 / GCS, Parameter Store / Secret Manager.
Anyway, I did a minimal Terraform GCP project to kick the tyres.
There's no Hiera backend for SOPS, so this is all a bit of a ramble - to actually use this for, eg, Puppet, requires Additional Work.