Since my home directory is under git and managed by chef, I can't store passwords in that git repo. I have a separate repository called secrets which contain keys, password, license files. It's hard to archive because I don't like juggling gpg and shirk away from copying the secrets to Dropbox or pushing to a private github repo.
A coworker showed me https://gist.github.com/873637/d098b2adccb221f8991e8b3044f1dc0a15903f57 which details how to apply an openssl encode/decode step when files are added to the staging or work area.
I got this to work with some tweaks.
The salts and passwords are stored in a file vault encrypted USB thumb drive. I put in the USB stick, type in the vault password, and its now available when I want to work with the encrypted repo. When I'm done, unmount the USB.
I clone the encrypted repo without plaintext workarea to Dropbox:
git clone --mirror . ~/Dropbox/secrets
I pay for a github account so I can have a private repository. Pushing files to github is also encrypted, no plaintext workareas.
The clean, smudge, and textconv commands are implemented as part of a custom git subcommand, "git filter". I also add install and clone commands to "git filter" to easily add encryption to a repo.
I should add a "git filter session" command to mount the USB drive, enter a subshell, and then unmount it when subshell ends. A "wipe" command would be nice to remove the plaintext workarea.
Of course, my OSX disks are all under whole disk file vault.