HF tools are not designed for the long term, generally. If you need a tool to work at least once, for one job that you are never going to do again, HF is "good enough".
The rule of thumb is to never buy a tool there that could result in a gruesome death if it fails to protect your life, like jack stands. (Invest in quality safety equipment first if you get something like an angle grinder.)
Let me check....
Sorry to say, we found your name on the list of cool people! High five!
I mean, sure. You do you, friend.
It's a sideways chefs kiss. Also, something, something, penis size.
It's worse. We are reverting back to the age of lügenpresse and hearsay comes in short-form video formats.
Many people simply do not care (or are even aware) if a source is trusted if the message aligns with their own bias or the message is presented as a new "fact". Trust is irrelevant, unfortunately.
"real" is subjective.
I would look into something like Doppler instead of Vault. (I don't trust any company acquired by IBM. They have been aquiring and enshittifying companies before there was even a name for it.)
Look into how any different solutions need their keys presented. Dumping the creds in ENV is generally fine since the keys will need to be stored and used somehow. You might need a dedicated user account to manage keys in its home folder.
This is actually a host security problem, not generally a key storage problem per se. Regardless of how you have a vault setup, my approach here is to create a single host that acts as a gateway for the rest of the credentials. (This applies to if keys are stored in "the cloud" or in a local database somewhere.)
Since you are going to using a Pi, you should focus on that being a restricted host: Only run your chosen vault solution on it. Period. Secure and patch it to the best of your ability and use very specific host firewall rules for minimum connectivity. Ie: Have one user for ssh in and limit another user account to managing vault, preferably without needing any kind of elevated access. This is actually a perfect use case for SELinux since you can put in some decent restrictions on the host for a single app (and it's supporting apps...)
If you are paranoid enough to run a HIDS, you can turn on all the events for any type of root account actions. In theory once the host is configured, you shouldn't need root again until you start performing patches.
Nope. Can't read. You caught me.
I would consider The Onion several levels above a generic tabloid. Not even in the same class. Like, The Onion actually has class.
Show me he stoned soldiers.
~~How much? Weight or volume?~~
I assume you mean weight.. Give me a sec and I'll take a guess.