How to keep keys and data which should be on live out of your repository
- drupal 8 encrypt configuration
- drupal 8 config alter keep only on live
- Drupal 8 remove configuration on export
I think config_split is probably the best way (for low-security things like e-mail addresses that should just be kept out of public repos)
See https://geertvd.github.io/post/exclude-config-from-cmi-in-d8/
Of course an encrypted vault that puts the keys into settings on deploy is also possible, but even encrypted it’s preferable not to put private information out in the open.
See also:
https://www.drupal.org/docs/8/modules/encrypt/general-drupal-8-encrypt-setup-and-recommendations for use with https://www.drupal.org/project/key