Mozilla SOPS, a tool for encrypting secrets for storage in source control systems, lets you encrypt secrets using the Shamir Sharing Threshold. You can use (and mix and match!) keys stored in of the first-party cloud secrets managers (AWS Secrets Manager, GCP KMS, Azure Key Vault), Hashicorp Vault, GnuPG, or Age.
Various IaC ecosystems have integrations for it. It's probably the best way to store secrets for Nix-based deployments, and there are also docs and integrations that pair it up with Kubernetes and Terraform.
Idk how many companies are really using keygroups, though. Probably in some of them, the repos are public and can tell you that.
Hashicorp Vault by default makes use of this mechanism to ensure certain actions (most notably starting Vault and unlocking the secret store for use) require multiple users to approve it.
Shamir seals
The default Vault config uses a Shamir seal. Instead of distributing the unseal key as a single key to an operator, Vault uses an algorithm known as Shamir's Secret Sharing to split the key into shards.
Various IaC ecosystems have integrations for it. It's probably the best way to store secrets for Nix-based deployments, and there are also docs and integrations that pair it up with Kubernetes and Terraform.
Idk how many companies are really using keygroups, though. Probably in some of them, the repos are public and can tell you that.
https://github.com/mozilla/sops