[3np]

Hashicorp Vault. Checks all your boxes, I think.

Or for something more lightweight (though it sounds like you're just about getting to the size where something more instrumented is worth it), you can have a git repo with secrets encrypted with individual keys. (git-secret and pass are two of the more popular ones here)

> 8. Bonus: How to manage non-technical secrets, e.g. credentials for web shops to order supplies? Multiple people would have to order something.

Probably using a separate system. Bitwarden, 1Password, KeepassXC.

[Dowwie]

Warning to anyone interested in Vault. Vault policies involve a learning curve. Maybe they have improved documentation and examples since I learned Vault management but I remember how complicated and time consuming it was.

[drcongo]

This was the problem I found with Vault too - I ended up as the only person in the company that knew how to use it and therefore it became a burden very quickly. We switched to EnvKey which basically has zero learning curve.

[atmosx]

For a small team I wouldn't go there. Except if the product requires a higher level of security and we have no money to spend on the SaaS or self-hosting is a requirement.

[Dowwie]

The problem isn't self-hosting. It's the ongoing setup and management through their DSL.

[3np]

FWIW, If you don't require the single-pane management, some scenarios can be simplified by deploying additional individual clusters/instances with separate access rather than controlling only via policy.

Mentioning since I've def seen people get stuck and forget to consider the obvious.