9. Mozilla SOPS
+ Ibotta sopstool
Multiple files, versioned along with code
No drift, keep version history
JSON/YAML encrypt values, others whole file
Encrypted via KMS Keys, AES
No server (well, kms). Audit log, ACL included
Entrypoint command decrypts and executes
Limited lifetime