It's unclear to me if you are trying to encrypt the days in transit, in memory or at rest?

I don't know anything about your environment but if I were in AWS I would be using KMS; this blog post walks through it:

https://blog.koan.co/securing-customer-data-with-kms-and-env...

Hi, I am trying to encrypt at rest. I would love to use AWS and KMS, but I won't be using public cloud for that :( The app will run on VPS-like setup (DigitalOcean or similar)

You can still use KMS even if you are hosting on a VPS. You don't need to send your data across the internet, just your key requests. All of the major cloud providers have implementations of encryption services:

AWS: https://aws.amazon.com/kms/ Azure: https://azure.microsoft.com/en-us/services/key-vault/ GCP: https://cloud.google.com/kms/

Open source alternatives (but I'd recommend using a hosted solution as maintaining one of these might be a bear): https://github.com/cloudflare/redoctober , https://github.com/StackExchange/blackbox