We use vault, but sometimes I just `openssl` gpg encrypt the secrets with the keys of all the members of my team and commit the .gpg to git. We all use yubikeys and use them to SSH.
Not ideal, but it works... At least until one of us resign (but turnover is quite low here, so crossed fingers).
when a new guy arrives to the company, we generate the keys on an air-gapped computer (with cahoskey et al) and upload the to the yubikey (they keep a separate encrypted usb key with the private keys).
Then, some employees verify the new employee and sign their keys. There are then uploaded to teh keyservers and an internal mail is sent.
Quite old school but it works quite well, alas we're small though (120).
Not ideal, but it works... At least until one of us resign (but turnover is quite low here, so crossed fingers).