[nickpsecurity]

Zip it up with bogus name followed by Bcrypt or in a Truecrypt/VeraCrypt volume uploaded into Dropbox or whatever. You get benefit of proven solution for critical part, esp Truecrypt since NSA hated it, with easy usability and cost/storage/availability of 3rd party storage.

[devopsforlyfe]

I should have added that this is for enterprise use, and the main use case is providing secrets to services when provisioning new hosts / containers or updating said secrets.

Your comment sounds to me as something that would work well for personal use, as a password manager replacement.

[nickpsecurity]

Yeah, that's a lot more complex. I'll leave others to this one.