chezmoi supports encrypting files with age and gpg.
Encrypted files are stored in ASCII-armored format in the source directory with
encrypted_ attribute and are automatically decrypted when needed.
Add files to be encrypted with the
--encrypt flag, for example:
$ chezmoi add --encrypt ~/.ssh/id_rsa
chezmoi edit will transparently decrypt the file before editing and
re-encrypt it afterwards.