I prefer using Symmetric Encryption: <a href="https://github.com/reidmorrison/symmetric-encryption" rel="nofollow">https://github.com/reidmorrison/symmetric-encryption</a><p>It's super simple to setup and maintain. The only pain-point is how to distribute the private key to new-users. Haven't quite found a super easy way to do that yet. Generally we just airdrop it to the person.
I prefer storing secrets/api tokens in a database.<p>Runs the risk of leaking secrets via a sql injection exploit though, but if that happens, you're already screwed.<p>For development, we consider all keys/tokens available to developers as public -- i.e. for authorize.net accounts, those tokens are tied to test accounts.