I implemented a secrets manager using vim (which comes with blowfish file encryption support). We just pass the unlock key in from a secure location, such as our ci/cd pipeline, and then pass it to something like the following:
I have implemented jackson as package. Your way of vim cannot be extended to application that keeps secrets in config file (say json). With this implementation we just need to write the env and pass it to jackson, then jackson will resolve it as runtime.