Why not in the code ? As I see it we're not trying to fend off Mr Über attacker, just avoid that your keys become public by mistake.
And instead of a secret key which is easily searchable, your method could just do some substitutions, something a bit more complicated than a Caesar cypher. Yes it's really weak but it beats an unencrypted secret key.
I know security minded people are not gonna like it, but until we have a real battle tested solution it's better than nothing.
A determined attacker will almost always win against our best defenses.
I think we have to do our best to make their job hard, but at one point we have to accept that offense is really easier than defense.
And instead of a secret key which is easily searchable, your method could just do some substitutions, something a bit more complicated than a Caesar cypher. Yes it's really weak but it beats an unencrypted secret key.
I know security minded people are not gonna like it, but until we have a real battle tested solution it's better than nothing.
A determined attacker will almost always win against our best defenses. I think we have to do our best to make their job hard, but at one point we have to accept that offense is really easier than defense.