If not GPG, then what?

Sometimes you need to keep secrets. Maybe you are involved in organized crime or a revolutionary organization. Maybe you need safe-keeping for your build system credentials.

In my very limited experience, gpg is painful to use.

I've tried to use Hashicorp Vault, but I'm not sure I've understood its documentation. I think it recommends storing secrets in a vault on a dedicated secret server, and connecting to that server via a well-known URL when you need authentication tokens. And if/when that server needs to restart? Require three separate humans to manually, interactively, apply their keys to unlock the vault and get things running again.

Yikes.

What are the alternatives?

Darned if I know. But I just tripped across this post by Latacora and am grateful to its author(s). The recommendations seem to be:

• For secure chat, use Signal. (Or WhatsApp? Really?)
• Don't encrypt email. [Insert long list of failure modes.]
• Use Magic Wormhole or Signal to send files securely.
• Use tarsnap to encrypt backups.
• Use signify or Minisign to sign packages.
• Use libsodium to encrypt application data.