I would look into something like Doppler instead of Vault. (I don’t trust any company acquired by IBM. They have been aquiring and enshittifying companies before there was even a name for it.)

Look into how any different solutions need their keys presented. Dumping the creds in ENV is generally fine since the keys will need to be stored and used somehow. You might need a dedicated user account to manage keys in its home folder.

This is actually a host security problem, not generally a key storage problem per se. Regardless of how you have a vault setup, my approach here is to create a single host that acts as a gateway for the rest of the credentials. (This applies to if keys are stored in “the cloud” or in a local database somewhere.)

Since you are going to using a Pi, you should focus on that being a restricted host: Only run your chosen vault solution on it. Period. Secure and patch it to the best of your ability and use very specific host firewall rules for minimum connectivity. Ie: Have one user for ssh in and limit another user account to managing vault, preferably without needing any kind of elevated access. This is actually a perfect use case for SELinux since you can put in some decent restrictions on the host for a single app (and it’s supporting apps…)

If you are paranoid enough to run a HIDS, you can turn on all the events for any type of root account actions. In theory once the host is configured, you shouldn’t need root again until you start performing patches.