I prefer using Symmetric Encryption: https://github.com/reidmorrison/symmetric-encryption

It's super simple to setup and maintain. The only pain-point is how to distribute the private key to new-users. Haven't quite found a super easy way to do that yet. Generally we just airdrop it to the person.

(Re-)encrypt it to their GPG keys of the people you want to have access and stick it in the repo?

I prefer storing secrets/api tokens in a database.

Runs the risk of leaking secrets via a sql injection exploit though, but if that happens, you're already screwed.

For development, we consider all keys/tokens available to developers as public -- i.e. for authorize.net accounts, those tokens are tied to test accounts.