You can still use KMS even if you are hosting on a VPS. You don't need to send your data across the internet, just your key requests. All of the major cloud providers have implementations of encryption services:
AWS: https://aws.amazon.com/kms/ Azure: https://azure.microsoft.com/en-us/services/key-vault/ GCP: https://cloud.google.com/kms/
Open source alternatives (but I'd recommend using a hosted solution as maintaining one of these might be a bear): https://github.com/cloudflare/redoctober , https://github.com/StackExchange/blackbox