FWIW there has been discussion among those of us who regularly dip our toes in the OpenSSL support code to add some form of integration with vaults (like vault from Hashicorp, ipa/idm from Redhat, Keychain from Apple etc) for storing secrets. AFAIK there are no concrete patches to look at (yet?), but there is interest and it will most likely be discussed at PGConf.dev in case you are thinking of attending.
I've been toying with the idea of building a key manager extension that could be used by others to get hold of secrets or use encryption keys without necessarily having to know where those secrets would be stored. It could use loadable shared libraries for the different providers similar to how we do it for OAuth. I don't believe this code would have to start out in core at all, but maybe we will want to integrate it later for reasons. -- Anders Åstrand Percona
