bank-vaults VS Passbolt

there's https://github.com/banzaicloud/bank-vaults wich is a wrapper for hashivault, so not exactly what you're looking for but worth looking into.

https://github.com/banzaicloud/bank-vaults. Mind you after Cisco bought Banzai work on this project seems to have stopped. It works very well for us though.

We are using Banzai Bank Vaults Webhook and we’re very happy with it.

If you ever want to see vault at that kind of level check out bank-vaults. Overkill for many, but it sounds like a decent fit for what you've already got in place and might reduce the boilerplate.

Use vault-env (we use https://github.com/banzaicloud/bank-vaults) to inject the secret as an ENV var to the pod at runtime, based on Vault's Kubernetes auth

We use bank vault to inject secrets as environment variables. This does not require changes to the app. A sidecar is automatically added to the pod to retrieve the secrets and inject them in the app runtime. Here’s the link https://github.com/banzaicloud/bank-vaults

I can follow up with examples if you'd like. You might like BanzaiCloud's Bank Vaults. We personally only use the Configurer component which just provides useful mechanisms to dynamically, or once off, configure Vault via data structures we supplied via ConfigMap.

Encrypted secrets can't be more than a temporary solution. That's why I'm not a fan of SOPS/Sealed Secrets/etc. I think the future for both security and usability is dynamic injection. Vault is the dopeness but I'm not a fan of the upstream Vault Injector -- shared volumes are a step backwards. It's all about the BanzaiCloud Vault Webhook -- secrets **only ever available to the running process**, rotation means: update the value in vault and bounce the pod, done. This is the way.

Passbolt - Open Source Alternative to 1Password

Here's another to add to the list, Passbolt. It is open source and basically built for teams and enterprise. It is design primarily with a unique security model which is based on asymmetric end-to-end encryption, with user-owned encryption keys and support easy cross functional team collaboration. Can it hosted on-prem or host it in cloud depending on your preference. Might be too much information and a tad bias as I work here but wanted you to have all the information as passbolt fits your requirement for business level password manager.

Fyi there is also Passbolt.

I currently switched from keepass to passbolt: https://www.passbolt.com/

I might be bias here as I work here but another recommendation would be passbolt. Open source password manager that is built for teams and businesses. You can either self-host or host it in the cloud, really depending on what you require and supports secure granular sharing of credentials with nested permission in just a few clicks. Its a solution that is built with security as a top priority. It supports asymmetric end-to-end encryption based on OpenPGP cryptography using both public-private key for encryption/decryption. No secret key is stored on the server side. Both the free community edition and the paid pro version are 100% open source.

All that said...here's my shameless plug: I work for passbolt. You mentioned you have a small team, you might give it a look: https://www.passbolt.com/ there's a community edition you can install for free on the server of your choice. I'm here and happy to answer any questions.

Passbolt for passwords (backed up to KeepassX files)

Have you checked out Passbolt? Its open source built for teams and organisations. Supports asymmetric end-to-end encryption, based on OpenPGP. Its on-prem or you can host it in cloud. You can either opt for the Pro/Enterprise version or the free community edition depending on what you need.