How did you handle new secrets / rotations? Seems like a lot to keep in sync.
Seems like we hear more frequently about the actual secrets being stored encrypted (potentially with hardware protection) in a central place, and only the keys to unlock them being distributed like this.
Not OP, but generally you wouldnt distribute the actual passphrases to the people who keep hard copy backups. You'd distribute the key to unlock the key. That way you could rotate the actual key and you just re-encrypt it with the secrets you already distributed.
Seems like we hear more frequently about the actual secrets being stored encrypted (potentially with hardware protection) in a central place, and only the keys to unlock them being distributed like this.