The best solution I've found is git-crypt [0]. It uses a .gitattributes file and git-hooks to dynamically encrypt files whenever you push to any other user (i.e. Github). The result is that the files are plain text on your (or any other user with the password) computer but are encrypted when they leave your system.
I even leave the files encrypted during the build and deployment process and only decrypt them when they reach their final resting place. Using a combination of BASH and AWS's KMS (Kem Management Service) it wasn't too difficult and I feel much better about putting secret information in my source code. :)
We have a secrets.json in the codebase which is gitignored and we ony commit a fake secrets_sample.json.
(The actual secrets are then ridiculously insecurely transferred between colleagues via whatever communication medium the people involved think of first. Open to suggestions there :-) )
Exactly! Just use OpenPGP! Once you've set up OpenPGP for all developers and operators that deal with secrets and production databases, it is a piece of cake to simply click the 'encrypt' button in the e-mail client whenever you need to share production log files or other potentially sensitive information with colleagues.
In an ideal world sensitive data never leaves the production environment or the machine of the developer or operator working on it, but sometimes things break down, and you need to share information to find out what went wrong, as soon as possible, with colleagues who are not necessarily physically nearby. It is best to have these tools set up and part of your work flow when you do need them.
Get everyone to sign on with Keybase.io and make GPG encryption easy (and fun!) for all. I really, really like Keybase for things like this and am trying to encourage all of my teammates to sign up, or at least use GPG encryption.
NOTE: If anyone needs an invite to Keybase.io, email me; I still have a couple left. :)
I even leave the files encrypted during the build and deployment process and only decrypt them when they reach their final resting place. Using a combination of BASH and AWS's KMS (Kem Management Service) it wasn't too difficult and I feel much better about putting secret information in my source code. :)
[0] https://github.com/AGWA/git-crypt