I use the combination of sops and age combined with pre-commit hooks to encrypt.env files. Works tremendously well.