Don't keep encrypted secrets in your git repositories, if for no other reason than that it makes access revocation deceptively difficult --- but also because it encourages you to have a development team in which ordinary devs have a full complement of secrets on their laptops at all times.

Instead, keep secrets "out of band" and supply them to applications as part of your deployment process.

Just curious - what's the preferred way of passing secrets from the deployment process to the application?

Environment variables? Simple to use and understand but can leak to child processes and crash reports.

Files on disk? Usually can also be read by children.

Via stdin on app startup? Seems simple...

Some other way?