I really like the approach of Passbolt to manage passwords with PGP. Passbolt also has a decent API that enables some scripting, and some basic Python packages already exist.
That made me wonder if I could use Passbolt as a password safe for Saltstack. After some research, I came up with a pretty simple Python script that renders Pillars from Passbolt groups. After installing https://github.com/netzbegruenung/passbolt-salt, you need to add the following lines to a Pillar SLS file:
#!py
def run():
from salt_passbolt import fetch_passbolt_passwords
# The following UUID is the UUID of a Passbolt group
return fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c")
With that, you can access passwords in states with Jinja:
{{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}
I have to admit that addressing groups and passwords with UUIDs is not the most convenient way, but it definitely works.
Please note that the passwords are accessible to all servers that use this Pillar. Therefore create different Passbolt groups for your different servers.